[c-nsp] TACACS+ and PIX
Brian Feeny
signal at shreve.net
Thu Dec 16 23:33:22 EST 2004
I did read about that.
But regardless, would be nice if I could figure out how to do AAA
enable auth for the pix to a TACACS+ server, anyone know how to do
this?
Brian
On Dec 16, 2004, at 6:56 PM, Brant I. Stevens wrote:
> Using AAA authentication for the enable password is fine, until the
> TACACS
> server is down, and you need to get in via the console server.
> Supposedly,
> this issue is fixed in 6.3.4, but I've never tested it, nor did I mess
> around with the command authorization.
>
> I would definitely stick to the "shared" enable password for just such
> an
> occasion.
>
>
> On 12/16/2004 07:23 PM, "Brian Feeny" <signal at shreve.net> wrote:
>
>>
>> I have not done TACACS+ with the PIX, and tried to bring up a PIX
>> today
>> and was not
>> able to enable using TACACS+. I am using a free TACACS+ server:
>>
>> On the PIX:
>>
>> aaa-server tacserver protocol tacacs+
>> aaa-server tacserver max-failed-attempts 3
>> aaa-server tacserver deadtime 10
>> aaa-server tacserver (outside) host x.x.x.x somekey timeout 10
>> aaa authentication ssh console tacserver
>> aaa authentication enable console tacserver
>>
>> On the TACACS+ Server:
>>
>> host = x.x.x.x {
>> key = somekey
>> type = cisco
>> enable = cleartext somesecret
>> }
>>
>>
>> Usernames authenticate fine. Just enable that isn't working. I setup
>> host clauses like the above on TACACS+ servers
>> for switches and routers all just like that, and they never have a
>> problem, so I was wondering if the PIX has to be setup different.
>> The "good" documentation on the free TACACS+ servers is pretty
>> lacking.
>>
>> Its almost like the PIX doesnt do host based enableing via TACACS+ but
>> wants to do username level. If so, perhaps there is a way to set an
>> enable password, or a second password to a user clause?
>>
>> Appreciate any help,
>>
>> Brian
>>
>> ---------------------------------------------
>> Brian Feeny, CCIE #8036, CISSP
>> Network Engineer
>> ShreveNet Inc.
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list