AAA commands on PIX

Similar Messages

• Aaa authorization commands for pix 535

  Hi ,
  Can you provide aaa authorization commands for pix 535
  Sanjay Nalawade.

  Hi,
  Please find the AAA config for PIX.
  aaa-server TACACS+ protocol tacacs+
  max-failed-attempts 5
  aaa-server TACACS+ (ExranetFW-In) host
  timeout 5
  key ********
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authorization command LOCAL
  aaa accounting command privilege 15 TACACS+
  aaa authorization exec authentication-server
  Karuppuchamy

• AAA config for PIX

  Hello folks!!!
  In my PIX 515E I hv configured AAA configuration(tacacs+) & hv also configured serial console authentication as "local" & telnet console authentication from tacacs+ server.Apart from this I hv also configured authorization as "tacacs+" server.Now if AAA server is not available Iam able to go in to user mode with the "enable pwd" set in PIX but if I try to go into enable mode it gives error msg "AAA command authorization failed" since it looks for AAA server for authorization & that is not available.Is there a way by which I can overcome this by configuring "local" authorization as a fallback incase the AAA server is not available
  Cheers
  SS

  You can add a command like this
  aaa authentication login default tacacs local
  aaa authentication login CONSOLE local
  So if Tacacs fail local will take over.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093c81.shtml#login_auth

• AAA command authorization in ACE

  How do we enable AAA command authorization in the ACE module on 6500 switch.i dont find any aaa authorization commands in it .
  Kind regards
  Ullas

  Hi,
  See the ACE Security Guide - Chapter 2. You need to set a CiscoAVPair. How you do this will depend on the RADIUS software that you are using. It sounds like you're being put into Network-Monitor role by default. Quote from the manual:
  "The user profile attribute serves an important configuration function for a RADIUS server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, a default role (Network-Monitor) and a default domain (default-domain) are assigned to the user if the authentication is successful."
  There are postings in this and other Cisco fora about exactly how to set these values (which depends on your RADIUS server implementation).
  HTH
  Cathy

• Lost Enable Prompt access post configuring aaa commands

  Can any one suggest how to login back to enable prompt on my device ?
  I have done the Tacacs Configuration through adding aaa commands &
  As a Post Result, Tacacs is successfully configured & I am able to login with my rsa token
  but Unfortunately I have lost the enable access, unable to enter into privilige mode, However I was able to login to Privilige mode before adding aaa commands
  through admin. Currently Below error is showing on my screen
  SWITCH>en
  Password:
  % Error in authentication

  Which AAA commands did you apply? Did you try the same password as the one for your user that you are logging in with? If there is local enable you could disable access to TACACS to fall back to it and correct the configuration.
  This could be achieved by using ACL to filter TACACS from this device on an upstream host or removing this host temporarily from your ACS/TACACS server so it gets no reply back. It should then fall back to local accounts if you have configured that.
  Daniel Dib
  CCIE #37149
  Please rate helpful posts.

• Enabling aaa authorization on pix/asa

  I managed to get authentication on easy enough but now am having difficulty getting authorization to work properly. I have auth/author turned on for my IOS stuff so any techs logged in will have rights based on what I give them on secure ACS. However I can't get the same to work on PIX code. I can log in fine with aa authentication but it still prompts me for the enable password. End result is I want to be able to login just once (and enabled). Any white papers that can point me the right way?

  Thank you, Prem. here is my concern. When I enable AAA access on the firewalls, from what you said there is no way for me to govern what rights a tech has when accessing the device? I want to establish the same restrictions as the IOS gear I have where normal techs will only have certain commands and others have full command. The way it is now, anyone with an account on Secure ACS can access it via ASDM.
  EDIT:
  Also I'm a little confused about the various fields on the AAA Access (from Device Access) tab. In Authentication, there is an option to toggle to require auth to be able to use enable mode. I am not sure how this auth against our ACS server (i checked the various settings in ACS and enabled what I think are all PIX commands to permit enable) and it doesn't work. I entere the enable password when I telnet in and I get auth failed when running any commands.
  Also there is an Authorization tab which I am assuming allows to you to push down rights from an aaa server? Where on the ACS can I configure that?

• AAA Authorization on PIX

  I have set up authentication and Authorization on the PIX. Authentication works but Authorization fails. I try to debug but nothing shows up (on PIX or ACS), but it does if I debug Authentication

  Make sure you have enable authentication ,
  aaa authentication ssh console TACACS LOCAL
  aaa authentication telnet console TACACS LOCAL
  aaa authentication enable console TACACS LOCAL
  aaa authorization command TACACS LOCAL
  Incase it does not work pls get aaa config
  Regards,
  ~JG
  Do rate helpful posts

• Static command in PIX

  Guys
  we have a firewall (pix)  which has a DMZ (name 777) and ofcourse internal and external interface there is a command which is as under but i am bit confuse abt it
  static (DMZ777,inside) tcp 10.22.1.5 ssh 10.22.1.5 20022 netmask 255.255.255.255
  what does this command means i am confise abt SSH and 20022 is it a NAT or routing command
  Thanks for looking

  Hi,
  The above configuration line is a NAT configuration line
  And more specifically a Static PAT configuration
  static (DMZ777,inside) tcp 10.22.1.5 ssh 10.22.1.5 20022 netmask 255.255.255.255
  The above configuration would seem to point that there is ahost 10.22.1.5 on the DMZ for which IP address NO NAT is done but the TCP Port is manipulated. When connecting from "inside" to "DMZ777" to IP 10.22.1.5 with destination port TCP/22, the connection will actually be forwarded to TCP port TCP/20022
  - Jouni

• ASDM (ASA9.1) won't fully initiated when configured AAA command authorization

  ASA doesn't have any local account, all authentications is done via AAA.
  On AAA, we have two "groups" both assigned to privilege_15, one group (A) can issue all commands, another group (B) only can issue command sets we defined.
  Group A can login to ASDM without any problems.
  Group B can pass the login pop up, then start to load ASDM window, at the bottom it does show login user has privilede 15, then it's stopped at "parsing running configuration..." asd login screen pops up again, and I cannot pass it.
  I suspect it's somewhere in permisssion, can someone help? thanks.
  Leo Song

  Hello,
  There are some commands that are required in order to load the ASDM
  privilege show level 3 mode exec command logging
  privilege show level 3 mode exec command blocks
  Make sure you have them
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• AAA command authorization ASA

  I have aaa authentication working on my ASA with no problem. I have command authorization working for my account on all my IOS devices with TACACS+ and a Cisco ACS. I can not get command authorization to work on the ASA. Every time I enter the 'aaa authorization command CSACS-TACACS+' the system will not let me do anything else and gives me a user not authroized and the ACS shows no log of this request. I then have to reboot the ASA to get back in.
  Current commands
  aaa authentication ssh console CSACS-TACACS+
  aaa authentication http console CSACS-TACACS+
  Entered commands
  aaa authentication enable console CSACS-TACACS+
  aaa authorization command CSACS-TACACS+

  Douglas,
  Try the following configuration:
  aaa authentication ssh console CSACS-TACACS+
  aaa authentication http console CSACS-TACACS+
  aaa authentication enable console CSACS-TACACS+
  With the previous settings the ASA should be authenticating your username/password and the enable password against the ACS server, if this part works fine then authorization should also be working fine.
  Remember to keep another session open in privilege mode before testing "
  aaa authentication enable console CSACS-TACACS+" command. In the ACS server you should be seeing at least the authentication passed report.

• AAA Command Authorization

  I have an ACS 4.0 device. In the shell command authorization set section, you have the ability to define permitted or denied commands (show) and arguments (running-config). I am limiting users to a specific set of commands. One of the commands is 'exit'. To my knowledge, 'exit' does not have any arguments. If I add 'exit' as a permitted command but enter nothing for the argument section, I get authorization failed at the router. If I select 'permit unmatched args' (for exit), authorization is successful. I would prefer to not select 'permit unmatched args'. Is there an argument for 'exit' that I am not aware of?

  It worked thanks. The ACS servers gives me an error saying the correct format is permit or deny followed by an argument, but the 'permit' has been saved and is working.
  Thanks again.

• AAA problems PIX/ASA

  Hello
  I have a problem with authentication on my network. Here I have support level 2 and level 3.
  Level 2 support, has restricted access to some switches and routers, the firewalls they could only give "Show ", the problem is that this is not happening.
  I configured on the ACS command shell Authorization for the commands on switches and routers, for these users of level 2. and PIX / ASA shell commands, I set only the command Enable and Show.
  My problem is that even when the support level 2 tries to access PIX and ASA on my network, they use the authorization of routers and switches, they do not use the parameters that I set up the PIX and ASA for Shell.
  the only firewalls on my line is this Authorization below
  Authorization TACACS + aaa command LOCAL
  I have to configure anything else?
  I can not create command line only for Firewalls.
  I'm missing something? something missing?
  my firewall and IOS versions:
  Pix: 6.3
  ASA 6x, 7x, 8x
  thanks for help
  Digite um texto ou endereço de um site ou traduza um documento.
  Cancelar
  Ouvir
  Ler foneticamente
  Tradução do português para inglês

  My problem is that my ACS v4.2, is not able to be distinguished from other shell comamds PIX / ASA. The same shell commands used in the switches, is being applied in firewalls.
  There is a way to create separate privileges between switches and firewalls?
  output of routers and firewalls. Switches and routera are the same
  switches
  aaa authentication login ACS-AUTH group ACS-TACACS local
  aaa authorization config-commands
  aaa authorization exec ACS-AUTH group ACS-TACACS local
  aaa authorization commands 15 default group ACS-TACACS local
  aaa accounting exec default start-stop group ACS-TACACS
  aaa accounting commands 15 default start-stop group ACS-TACACS
  firewalls
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (transit) host x.x.x.x
  aaa-server RADIUS protocol radius
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa accounting enable console TACACS+
  aaa accounting ssh console TACACS+
  aaa accounting command privilege 15 TACACS+

• Command execution get very slow when AAA Authorization enable on ASR 1006

  Without Authorization , I am able work smoothly with just click on ASR ...., But Once I enable Authorization it takes many secs to move to other command exampe ( If i hit config t or int gi1/0/1 , it   take time to move to next command level) ...
  These Authorization issue I am facing only on ASR and for Other Cisco Switches and Router its working fine wiith just a click.
  Did any one face such issue , and how it is fix ...
  See the Show version for ASR
  Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Thu 24-Mar-11 23:32 by mcpre
  Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
  All rights reserved.  Certain components of Cisco IOS-XE software are
  licensed under the GNU General Public License ("GPL") Version 2.0.  The
  software code licensed under GPL Version 2.0 is free software that comes
  with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
  GPL code under the terms of GPL Version 2.0.  For more details, see the
  documentation or "License Notice" file accompanying the IOS-XE software,
  or the applicable URL provided on the flyer accompanying the IOS-XE
  software.
  ROM: IOS-XE ROMMON
  NOITDCRTRCORP01 uptime is 10 weeks, 6 days, 1 hour, 16 minutes
  Uptime for this control processor is 10 weeks, 6 days, 1 hour, 19 minutes
  System returned to ROM by reload
  System restarted at 17:47:32 IST Thu Oct 4 2012
  System image file is "bootflash:/asr1000rp1-advipservicesk9.03.03.00.S.151-2.S.bin"
  Last reload reason: EHSA standby down
  AAA Commands on ASR 1006
  aaa new-model
  aaa group server tacacs+ tacgroup
  server 10.48.128.10
  server 10.72.160.10
  ip vrf forwarding Mgmt-intf
  ip tacacs source-interface GigabitEthernet0
  aaa authentication login default group tacgroup local
  aaa authentication enable default group tacgroup enable
  aaa accounting exec default start-stop group tacgroup
  aaa accounting commands 1 default start-stop group tacgroup
  aaa accounting commands 15 default start-stop group tacgroup
  aaa accounting connection default start-stop group tacgroup
  aaa accounting system default start-stop group tacgroup
  aaa authorization commands 0 default group tacgroup none
  aaa authorization commands 1 default group tacgroup none
  aaa authorization commands 15 default group tacgroup none
  aaa session-id common
  tacacs-server host 10.48.128.10 key 7 13351601181B0B382F04796166
  tacacs-server key 7 053B071C325B411B1D25464058

  I think your issue maybe related to your tacacs server. If you  re-order the two servers (typically a 5 second timer before failover  occurs) and see if that improves your performance:
  You  can try to debug the issue by referring to the command reference  guide....i.e. debug tacacs...you can also try to telnet to both ip  address to port 49 to see if the connection opens, in order to rule out  issues where a firewall or routing to one of the tacacs servers is  failing. I also noticed you have the shared secret and tacacs server  defined for one of the servers, is the sam present for the other server  that is in the server group?
  server 10.48.128.10
  server 10.72.160.10
  to
  server 10.72.160.10
  server 10.48.128.10
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Question on AAA accounting command?

  Is AAA command “aaa accounting commands 15 default start-stop group” just for tacacs+ groups and not for radius?

  jjohnston1127 answered correctly. Command authorization and command accounting are only supported by the tacacs protocol.
  You will not even see an option for radius.
  jkatyel(config)#aaa accounting commands 15 default start-stop gr
  jkatyel(config)#aaa accounting commands 15 default start-stop group ?
    WORD     Server-group name
    tacacs+  Use list of all Tacacs+ hosts.
  Accounting supported by radius
  https://tools.ietf.org/html/rfc2866
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Two aaa-server TACACS+ in PIX 525

  I have a PIX 525 with two aaa-server for TACACS+; My aaa comands are configured by default.
  I understand that my aaa-server TACACS+max-failed-attempts "number" have a "3" times to declare my aaa-server unresponsive and move on to try the next server in the list.
  Once it happens, how long does the aaa requests are send to the secundary aaa-server?
  Can somebody of you can help me? I want to keep my first aaa-server as primary and just in case of failure use the second aaa-server.
  Thanks a lot.

  The timeout interval also has to be configured for the request. This is the time after which the PIX Firewall gives up on the request to the primary AAA server. If there is a standby AAA server, the PIX Firewall will send the request to the backup server. The retransmit timeout is currently set to 10 seconds and is not user configurable.