[c-nsp] another tac_plus question regarding PIX firewalls

[Erik Witkop]

So I am trying to setup AAA on some PIX firewalls and some ASA firewalls.

On my ASA firewalls running 8.x, the AAA with tacacs+ works great. Here 
is my ASA config:

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host 216.x.x.x
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command TACACS+
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
aaa authorization exec authentication-server

The above all works great.

But here is my config on my  515 PIX running 6.3(3):

test-AAA-pix(config)# sho run | inc aaa
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host 216.x.x.x timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console TACACS+
aaa authentication enable console TACACS+   <-- this line is the 
problem. But why?
(I can't turn on authorization until I get the line above working)


SSH authentication works fine. But when I type 'enable' and then the 
enable password, the tac_plus server is sending back a FAIL message. Yet 
the same firewall commands and tac_plus configs work fine on the ASA. Why?

Here is the debug:

202:  Tacacs packet sent
203: Sending TACACS Start message. Session id: 1590929404l, seq no:1
204: Recevied TACACS packet. Session id:4238857054l  seq no:2
205: tacp_procpkt_authen: GETPASS
206: Authen Message: Password:
207: mk_pkt - type: 0x1, session_id: 208: mkpkt_continue - 
response:(this is the enable password on the firewall. I removed it from 
the debug)
209:  Tacacs packet sent
210: Sending TACACS Start message. Session id: 1590929404l, seq no:2
211: Recevied TACACS packet. Session id:4238857054l  seq no:4
212: tacp_procpkt_authen: FAIL
213: TACACS Session finished. Session id: 1590929404l, seq no: 4

tac_plus logs show nothing.