From: Devi Mallampalli (Devi.Mallampalli@chubb.com.au)
Date: Mon Jul 12 2004 - 23:56:13 GMT-3
John,
I think you can tackle this issue in the following way. Configure
another AAA string with let us say "authorization group ACS tacacs local
" just like the way you do for Authentication (authentication group ACS
tacacs local). That way "local authorization " along with local
authentication will kick in only when "tacacs is not available. Along
with this you can map relevant "privilege levels" to the local user
database.
I am not sure on any other way to do this.
Devi.
-----Original Message-----
From: John Elias [mailto:jelias_@hotmail.com]
Sent: Monday, 12 July 2004 11:58 AM
To: ccielab@groupstudy.com
Subject: PIX & ACS - AAA Authorization
All,
I have several PIX 525 in different locations. I have setup an ACS
Server. If the ACS server is up, all is fine with authentication and
authorization. If the ACS server goes down, I can authenticate with the
built in pix account. Only problem is authorization. Once I authenticate
with the pix account, I am unable to execute any commands. My question,
is
there any other way besides leaving the authorization to LOCAL and
moving
some privileges to a lower level (for other users), to have the PIX
default
to authorize locally only if the tacacs is not available.
Thanks In Advance,
John E.
CCIE 8150
This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:11:53 GMT-3