[c-nsp] PIX access
Alban Dani
albcisco at gmail.com
Fri Sep 22 16:44:22 EDT 2006
But why does everything works fine when I ssh into the IP of the box?
I use the same user account and tacacs server for that purpose.
Or am I worng?
thank you,
Alban
On 9/22/06, Jeff Calvert <jcalvert at cyrusone.com> wrote:
>
> Your issue is command authorization. The credentials your using are not
> allowed to run the "enable" command. You'll have to block access to the
> tacacs server, login using local credentials and remove the line "aaa
> authorization command TACACS+ LOCAL".
>
> Jeff Calvert
> Network Administrator
>
>
> E: jcalvert at cyrusone.com
> W: www.cyrusone.com
>
>
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alban Dani
> Posted At: Friday, September 22, 2006 3:09 PM
> Posted To: Cisco-nsp
> Conversation: [c-nsp] PIX access
> Subject: [c-nsp] PIX access
>
>
> I was handed over yesterday our Dr site and there is a PIX 515
> installed
> there.
> I switched it so it points to our tacacs+ server.
>
> While I can ssh to its netowrk interface I keep failing the console
> logging!!!
>
> here is the output:
>
> DR-TERMSERVER#pix515
> Trying pix515 (10.1.1.1, 2036)... Open
>
>
> User Access Verification
>
> Username: admin
> Password:
> Password: ********
> Username: admin
> Password: *******
> Access denied.
> DR.PIX515> en
> Username: admin
> Password: *******
> Username: admin
> Password: *******
> Username: admin
> Password: *******
> Access denied.
> DR.PIX515> en
>
> My aaa config is:
>
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server TACACS+ (VPNDMZ) host R-UTIL1 key timeout 5
> aaa-server TACACS+ (VPNDMZ) host V-MON1 key timeout 5
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> aaa authentication secure-http-client
> aaa authentication ssh console TACACS+ LOCAL
> aaa authentication http console TACACS+ LOCAL
> aaa authentication enable console TACACS+ LOCAL
> aaa authorization command TACACS+ LOCAL
>
> What am I missing?
> Does tacacs+ have a problem with the pix ( the cosultants were using
> ACS)
>
> thank you ,
> Alban
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list