AAA commands on PIX
Hello all,
I am referring to the PIX 6.3 command reference guide for the command "aaa authentication". As per this document, there is no option like 'inbound' or 'outbound' in this command. But the examples under these command show these keywords. I am getting confused here.
Can anyone show me a place where AAA commands on PIX are explained clearly. I know how these commands work on a router. But PIX is very difficult to understand.
Any help would be highly appreciated.
TIA,
Mohan
There is an inbound/outbound option in the aaa authentication command on the PIX. You could refer to the command reference at http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a0080104239.html#wp1025384
Similar Messages
-
Aaa authorization commands for pix 535
Hi ,
Can you provide aaa authorization commands for pix 535
Sanjay Nalawade.Hi,
Please find the AAA config for PIX.
aaa-server TACACS+ protocol tacacs+
max-failed-attempts 5
aaa-server TACACS+ (ExranetFW-In) host
timeout 5
key ********
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authorization command LOCAL
aaa accounting command privilege 15 TACACS+
aaa authorization exec authentication-server
Karuppuchamy -
Hello folks!!!
In my PIX 515E I hv configured AAA configuration(tacacs+) & hv also configured serial console authentication as "local" & telnet console authentication from tacacs+ server.Apart from this I hv also configured authorization as "tacacs+" server.Now if AAA server is not available Iam able to go in to user mode with the "enable pwd" set in PIX but if I try to go into enable mode it gives error msg "AAA command authorization failed" since it looks for AAA server for authorization & that is not available.Is there a way by which I can overcome this by configuring "local" authorization as a fallback incase the AAA server is not available
Cheers
SSYou can add a command like this
aaa authentication login default tacacs local
aaa authentication login CONSOLE local
So if Tacacs fail local will take over.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093c81.shtml#login_auth -
AAA command authorization in ACE
How do we enable AAA command authorization in the ACE module on 6500 switch.i dont find any aaa authorization commands in it .
Kind regards
UllasHi,
See the ACE Security Guide - Chapter 2. You need to set a CiscoAVPair. How you do this will depend on the RADIUS software that you are using. It sounds like you're being put into Network-Monitor role by default. Quote from the manual:
"The user profile attribute serves an important configuration function for a RADIUS server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, a default role (Network-Monitor) and a default domain (default-domain) are assigned to the user if the authentication is successful."
There are postings in this and other Cisco fora about exactly how to set these values (which depends on your RADIUS server implementation).
HTH
Cathy -
Lost Enable Prompt access post configuring aaa commands
Can any one suggest how to login back to enable prompt on my device ?
I have done the Tacacs Configuration through adding aaa commands &
As a Post Result, Tacacs is successfully configured & I am able to login with my rsa token
but Unfortunately I have lost the enable access, unable to enter into privilige mode, However I was able to login to Privilige mode before adding aaa commands
through admin. Currently Below error is showing on my screen
SWITCH>en
Password:
% Error in authenticationWhich AAA commands did you apply? Did you try the same password as the one for your user that you are logging in with? If there is local enable you could disable access to TACACS to fall back to it and correct the configuration.
This could be achieved by using ACL to filter TACACS from this device on an upstream host or removing this host temporarily from your ACS/TACACS server so it gets no reply back. It should then fall back to local accounts if you have configured that.
Daniel Dib
CCIE #37149
Please rate helpful posts. -
Enabling aaa authorization on pix/asa
I managed to get authentication on easy enough but now am having difficulty getting authorization to work properly. I have auth/author turned on for my IOS stuff so any techs logged in will have rights based on what I give them on secure ACS. However I can't get the same to work on PIX code. I can log in fine with aa authentication but it still prompts me for the enable password. End result is I want to be able to login just once (and enabled). Any white papers that can point me the right way?
Thank you, Prem. here is my concern. When I enable AAA access on the firewalls, from what you said there is no way for me to govern what rights a tech has when accessing the device? I want to establish the same restrictions as the IOS gear I have where normal techs will only have certain commands and others have full command. The way it is now, anyone with an account on Secure ACS can access it via ASDM.
EDIT:
Also I'm a little confused about the various fields on the AAA Access (from Device Access) tab. In Authentication, there is an option to toggle to require auth to be able to use enable mode. I am not sure how this auth against our ACS server (i checked the various settings in ACS and enabled what I think are all PIX commands to permit enable) and it doesn't work. I entere the enable password when I telnet in and I get auth failed when running any commands.
Also there is an Authorization tab which I am assuming allows to you to push down rights from an aaa server? Where on the ACS can I configure that? -
I have set up authentication and Authorization on the PIX. Authentication works but Authorization fails. I try to debug but nothing shows up (on PIX or ACS), but it does if I debug Authentication
Make sure you have enable authentication ,
aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authorization command TACACS LOCAL
Incase it does not work pls get aaa config
Regards,
~JG
Do rate helpful posts -
Guys
we have a firewall (pix) which has a DMZ (name 777) and ofcourse internal and external interface there is a command which is as under but i am bit confuse abt it
static (DMZ777,inside) tcp 10.22.1.5 ssh 10.22.1.5 20022 netmask 255.255.255.255
what does this command means i am confise abt SSH and 20022 is it a NAT or routing command
Thanks for lookingHi,
The above configuration line is a NAT configuration line
And more specifically a Static PAT configuration
static (DMZ777,inside) tcp 10.22.1.5 ssh 10.22.1.5 20022 netmask 255.255.255.255
The above configuration would seem to point that there is ahost 10.22.1.5 on the DMZ for which IP address NO NAT is done but the TCP Port is manipulated. When connecting from "inside" to "DMZ777" to IP 10.22.1.5 with destination port TCP/22, the connection will actually be forwarded to TCP port TCP/20022
- Jouni -
ASDM (ASA9.1) won't fully initiated when configured AAA command authorization
ASA doesn't have any local account, all authentications is done via AAA.
On AAA, we have two "groups" both assigned to privilege_15, one group (A) can issue all commands, another group (B) only can issue command sets we defined.
Group A can login to ASDM without any problems.
Group B can pass the login pop up, then start to load ASDM window, at the bottom it does show login user has privilede 15, then it's stopped at "parsing running configuration..." asd login screen pops up again, and I cannot pass it.
I suspect it's somewhere in permisssion, can someone help? thanks.
Leo SongHello,
There are some commands that are required in order to load the ASDM
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command blocks
Make sure you have them
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
I have aaa authentication working on my ASA with no problem. I have command authorization working for my account on all my IOS devices with TACACS+ and a Cisco ACS. I can not get command authorization to work on the ASA. Every time I enter the 'aaa authorization command CSACS-TACACS+' the system will not let me do anything else and gives me a user not authroized and the ACS shows no log of this request. I then have to reboot the ASA to get back in.
Current commands
aaa authentication ssh console CSACS-TACACS+
aaa authentication http console CSACS-TACACS+
Entered commands
aaa authentication enable console CSACS-TACACS+
aaa authorization command CSACS-TACACS+Douglas,
Try the following configuration:
aaa authentication ssh console CSACS-TACACS+
aaa authentication http console CSACS-TACACS+
aaa authentication enable console CSACS-TACACS+
With the previous settings the ASA should be authenticating your username/password and the enable password against the ACS server, if this part works fine then authorization should also be working fine.
Remember to keep another session open in privilege mode before testing "
aaa authentication enable console CSACS-TACACS+" command. In the ACS server you should be seeing at least the authentication passed report. -
I have an ACS 4.0 device. In the shell command authorization set section, you have the ability to define permitted or denied commands (show) and arguments (running-config). I am limiting users to a specific set of commands. One of the commands is 'exit'. To my knowledge, 'exit' does not have any arguments. If I add 'exit' as a permitted command but enter nothing for the argument section, I get authorization failed at the router. If I select 'permit unmatched args' (for exit), authorization is successful. I would prefer to not select 'permit unmatched args'. Is there an argument for 'exit' that I am not aware of?
It worked thanks. The ACS servers gives me an error saying the correct format is permit or deny followed by an argument, but the 'permit' has been saved and is working.
Thanks again. -
Hello
I have a problem with authentication on my network. Here I have support level 2 and level 3.
Level 2 support, has restricted access to some switches and routers, the firewalls they could only give "Show ", the problem is that this is not happening.
I configured on the ACS command shell Authorization for the commands on switches and routers, for these users of level 2. and PIX / ASA shell commands, I set only the command Enable and Show.
My problem is that even when the support level 2 tries to access PIX and ASA on my network, they use the authorization of routers and switches, they do not use the parameters that I set up the PIX and ASA for Shell.
the only firewalls on my line is this Authorization below
Authorization TACACS + aaa command LOCAL
I have to configure anything else?
I can not create command line only for Firewalls.
I'm missing something? something missing?
my firewall and IOS versions:
Pix: 6.3
ASA 6x, 7x, 8x
thanks for help
Digite um texto ou endereço de um site ou traduza um documento.
Cancelar
Ouvir
Ler foneticamente
Tradução do português para inglêsMy problem is that my ACS v4.2, is not able to be distinguished from other shell comamds PIX / ASA. The same shell commands used in the switches, is being applied in firewalls.
There is a way to create separate privileges between switches and firewalls?
output of routers and firewalls. Switches and routera are the same
switches
aaa authentication login ACS-AUTH group ACS-TACACS local
aaa authorization config-commands
aaa authorization exec ACS-AUTH group ACS-TACACS local
aaa authorization commands 15 default group ACS-TACACS local
aaa accounting exec default start-stop group ACS-TACACS
aaa accounting commands 15 default start-stop group ACS-TACACS
firewalls
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (transit) host x.x.x.x
aaa-server RADIUS protocol radius
aaa authentication ssh console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
aaa accounting command privilege 15 TACACS+ -
Command execution get very slow when AAA Authorization enable on ASR 1006
Without Authorization , I am able work smoothly with just click on ASR ...., But Once I enable Authorization it takes many secs to move to other command exampe ( If i hit config t or int gi1/0/1 , it take time to move to next command level) ...
These Authorization issue I am facing only on ASR and for Other Cisco Switches and Router its working fine wiith just a click.
Did any one face such issue , and how it is fix ...
See the Show version for ASR
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 24-Mar-11 23:32 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
NOITDCRTRCORP01 uptime is 10 weeks, 6 days, 1 hour, 16 minutes
Uptime for this control processor is 10 weeks, 6 days, 1 hour, 19 minutes
System returned to ROM by reload
System restarted at 17:47:32 IST Thu Oct 4 2012
System image file is "bootflash:/asr1000rp1-advipservicesk9.03.03.00.S.151-2.S.bin"
Last reload reason: EHSA standby down
AAA Commands on ASR 1006
aaa new-model
aaa group server tacacs+ tacgroup
server 10.48.128.10
server 10.72.160.10
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
aaa authentication login default group tacgroup local
aaa authentication enable default group tacgroup enable
aaa accounting exec default start-stop group tacgroup
aaa accounting commands 1 default start-stop group tacgroup
aaa accounting commands 15 default start-stop group tacgroup
aaa accounting connection default start-stop group tacgroup
aaa accounting system default start-stop group tacgroup
aaa authorization commands 0 default group tacgroup none
aaa authorization commands 1 default group tacgroup none
aaa authorization commands 15 default group tacgroup none
aaa session-id common
tacacs-server host 10.48.128.10 key 7 13351601181B0B382F04796166
tacacs-server key 7 053B071C325B411B1D25464058I think your issue maybe related to your tacacs server. If you re-order the two servers (typically a 5 second timer before failover occurs) and see if that improves your performance:
You can try to debug the issue by referring to the command reference guide....i.e. debug tacacs...you can also try to telnet to both ip address to port 49 to see if the connection opens, in order to rule out issues where a firewall or routing to one of the tacacs servers is failing. I also noticed you have the shared secret and tacacs server defined for one of the servers, is the sam present for the other server that is in the server group?
server 10.48.128.10
server 10.72.160.10
to
server 10.72.160.10
server 10.48.128.10
Thanks,
Tarik Admani
*Please rate helpful posts* -
Question on AAA accounting command?
Is AAA command “aaa accounting commands 15 default start-stop group” just for tacacs+ groups and not for radius?
jjohnston1127 answered correctly. Command authorization and command accounting are only supported by the tacacs protocol.
You will not even see an option for radius.
jkatyel(config)#aaa accounting commands 15 default start-stop gr
jkatyel(config)#aaa accounting commands 15 default start-stop group ?
WORD Server-group name
tacacs+ Use list of all Tacacs+ hosts.
Accounting supported by radius
https://tools.ietf.org/html/rfc2866
Regards,
Jatin Katyal
*Do rate helpful posts* -
Two aaa-server TACACS+ in PIX 525
I have a PIX 525 with two aaa-server for TACACS+; My aaa comands are configured by default.
I understand that my aaa-server TACACS+max-failed-attempts "number" have a "3" times to declare my aaa-server unresponsive and move on to try the next server in the list.
Once it happens, how long does the aaa requests are send to the secundary aaa-server?
Can somebody of you can help me? I want to keep my first aaa-server as primary and just in case of failure use the second aaa-server.
Thanks a lot.The timeout interval also has to be configured for the request. This is the time after which the PIX Firewall gives up on the request to the primary AAA server. If there is a standby AAA server, the PIX Firewall will send the request to the backup server. The retransmit timeout is currently set to 10 seconds and is not user configurable.
Maybe you are looking for
-
Text editing - can you add text editing options on the 'in-browser editing'
Text editing - can you add text editing options on the 'in-browser editing' tool?
-
Itunes doesn't transfer all of my music to my ipad.
itunes tends to skip songs during the syncing process. It mainly happens to the albums. It misses 4 or 5 songs. Is their a simple solution? Thanks
-
I backed up my iPad before I reset it and all my tv series and music and photos was on my iCloud but when I tried to redownload them from the purchased section but when I tried none of my movies I bought was there if there is anyone way I can get the
-
Print preview is over saturated
When printing I check the print preview box, everything is fine until I hit the print button and it puts up the preview window which says to either print or cancel. When the preview button is up all the colors are way oversaturated like yellow/very l
-
My iBook G3 won't run Tiger?
My iBook seems to come up with some code and the this that tells you to shut down your computer in different languages thing, when starting up and holding "c" to install tiger. WHY WON'T IT LET ME INSTALL TIGER!!!!