[c-nsp] TACACS auth on PIX

mikus der.mikus at gmail.com
Fri Oct 1 00:30:08 EDT 2004


  As far as I know, you can't configure pixen for authentication
backup methods as you do in ios.  It's a real PITA, but something I
believe is still fact.  If the tacacs server is unavailable, the only
thing you can do is leave console as local, or open your other remote
telnet/ssh vty with local auth and lock it down to a *secure* ip as a
filthy hack.  I'd prefer if I at least had an option for local auth,
but cisco chooses not to extend its basic aaa functionality on the
pix.  Feature request!

  Aside from that, it's fairly easy:

aaa-server your_acs protocol tacacs+
aaa-server your_acs (internal) host changeme_pass timeout 5
aaa-server your_acs (transit) host changeme_pass timeout 5
aaa authentication serial console LOCAL
aaa authentication ssh console your_acs
aaa authentication http console your_acs


On Fri, 1 Oct 2004 09:20:40 +0530, Prit Patel <shahtejal at gmail.com> wrote:
> Hello All,
> How can i configure TACACS authentication on PIX 525 ?
> And if TACACS server is not available then it should able to
> authenticate locally.
> Regards
> Shah
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list