[c-nsp] PIX access
Michael K. Smith
mksmith at adhost.com
Wed Sep 27 03:06:52 EDT 2006
Hello Alban:
On Sep 22, 2006, at 1:44 PM, Alban Dani wrote:
> But why does everything works fine when I ssh into the IP of the box?
> I use the same user account and tacacs server for that purpose.
> Or am I worng?
>
> thank you,
>
> Alban
>
> On 9/22/06, Jeff Calvert <jcalvert at cyrusone.com> wrote:
>>
>> Your issue is command authorization. The credentials your using are
>> not
>> allowed to run the "enable" command. You'll have to block access to
>> the
>> tacacs server, login using local credentials and remove the line "aaa
>> authorization command TACACS+ LOCAL".
>>
>> Jeff Calvert
>> Network Administrator
>>
>>
>> E: jcalvert at cyrusone.com
>> W: www.cyrusone.com
>>
If you haven't specified the appropriate exec levels in your ACS then
you will be able to log in, but you won't be able to do anything. Your
PIX config looks just fine so it's definitely a config issue on the
ACS. When you configure the user or group in ACS make sure you have
given the correct permissions (Exec Level 15) under "TACACS+ Enable
Control" and check "shell exec" and "Privelege level (15)" under
"TACACS+ Settings".
Regards,
Mike
More information about the cisco-nsp
mailing list