[c-nsp] another tac_plus question regarding PIX firewalls

Yuri Bank yuribank at gmail.com
Tue Apr 6 01:59:07 EDT 2010


Increase the logging verbosity in tac_plus and set the lowest level
debugging for tacacs on your PIX.
Do the same on your ASA. It would be good to compare how these
authentication requests differ. You might need to make some modifications in
your tac_plus.conf to get this to work. ( It seems like the PIX is using an
older version of the protocol, can you upgrade the image on it?)

Try adding this to your config. This will set the enable password for a
user/group without a unique enable password defined. Create a user without a
unique enable password to test this.

user = $enable$ {
        login = cleartext "cisco123"
        }


On Mon, Apr 5, 2010 at 6:38 PM, Erik Witkop <ewitkop at gmail.com> wrote:

> So I am trying to setup AAA on some PIX firewalls and some ASA firewalls.
>
> On my ASA firewalls running 8.x, the AAA with tacacs+ works great. Here is
> my ASA config:
>
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ (outside) host 216.x.x.x
> aaa authentication ssh console TACACS+ LOCAL
> aaa authentication enable console TACACS+ LOCAL
> aaa authorization command TACACS+ LOCAL
> aaa accounting command TACACS+
> aaa accounting enable console TACACS+
> aaa accounting ssh console TACACS+
> aaa authorization exec authentication-server
>
> The above all works great.
>
> But here is my config on my  515 PIX running 6.3(3):
>
> test-AAA-pix(config)# sho run | inc aaa
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ (outside) host 216.x.x.x timeout 10
> aaa-server LOCAL protocol local
> aaa authentication ssh console TACACS+
> aaa authentication enable console TACACS+   <-- this line is the problem.
> But why?
> (I can't turn on authorization until I get the line above working)
>
>
> SSH authentication works fine. But when I type 'enable' and then the enable
> password, the tac_plus server is sending back a FAIL message. Yet the same
> firewall commands and tac_plus configs work fine on the ASA. Why?
>
> Here is the debug:
>
> 202:  Tacacs packet sent
> 203: Sending TACACS Start message. Session id: 1590929404l, seq no:1
> 204: Recevied TACACS packet. Session id:4238857054l  seq no:2
> 205: tacp_procpkt_authen: GETPASS
> 206: Authen Message: Password:
> 207: mk_pkt - type: 0x1, session_id: 208: mkpkt_continue - response:(this
> is the enable password on the firewall. I removed it from the debug)
> 209:  Tacacs packet sent
> 210: Sending TACACS Start message. Session id: 1590929404l, seq no:2
> 211: Recevied TACACS packet. Session id:4238857054l  seq no:4
> 212: tacp_procpkt_authen: FAIL
> 213: TACACS Session finished. Session id: 1590929404l, seq no: 4
>
> tac_plus logs show nothing.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list