RE: AAA config On PIX firewall

From: Christopher M. Heffner (cheffner@certified-labs.com)
Date: Thu Sep 16 2004 - 21:02:34 GMT-3

• Next message: Edwards, Andrew M: "RE: lab 1 ccie routing and switching lab scenario book"
• Previous message: Wei Zhu: "Re: RE: policy routing local generated voice traffic? problem"
• Maybe in reply to: AdebolaA@mtnnigeria.net: "AAA config On PIX firewall"
• Next in thread: AdebolaA@mtnnigeria.net: "RE: AAA config On PIX firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Just to let you know that the link is not the solution to your problem.

It will not be the fall back for AAA but it will be used instead of AAA.

The pix currently does not support multiple methods like the router does.

What you have done is change the local policy from AAA to local only.

There is a backdoor in the PIX operating system

Setup the serial login authentication for tacacs or radius like you normally
would.

If tacacs is up and running then use your normal user id and password for
authentication.

If tacacs fails and you can not login then use the user id of pix and the
password will be the enable password.

This is the backdoor.

PIX 7.0 code will fix this issue in which you be able to define tacacs as
method 1 and then define LOCAL as your second method.

Hope this helps.

Later.

Christopher M. Heffner, CCIE 8211, CCSI 98760
Certifed Labs

http://http://www.certified-labs.com/

"Complete CCIE and CCNP Certification Rental Racks including CCIE R&S and
Security with PIX, VPN, IDS, CiscoWorks 2000 VMS, Cisco Secure ACS and
Microsoft CA"

From: AdebolaA@mtnnigeria.net
Sent: Thu 9/16/2004 7:26 AM
To: ccielab@groupstudy.com
Subject: RE: AAA config On PIX firewall

Thanks group,

I have found solution in the link

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref
/ab.htm#wp1111727

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Adebola Adegbonmire [ MTN - UBA ]
Sent: 16 September 2004 12:04
To: ccielab@groupstudy.com
Subject: AAA config On PIX firewall

Hi group,

I am trying to setup a PIX firewall with enable, Telnet, console access
authentication via a Cisco ACS server. That is not a problem it works fine.
However, I need to have a fallback for when no ACS server is available and I
want to use locally defined passwords with a username or without a username
(which is possible). I can't seem to get this right. Wondering if the PIX
allows this or I am not configuring it right?

Any help will be appreciated.

Bola

NOTE: This e-mail message is subject to the MTN Nigeria disclaimer see
http://www.mtnonline.com/contact/disclaimer.asp

• Next message: Edwards, Andrew M: "RE: lab 1 ccie routing and switching lab scenario book"
• Previous message: Wei Zhu: "Re: RE: policy routing local generated voice traffic? problem"
• Maybe in reply to: AdebolaA@mtnnigeria.net: "AAA config On PIX firewall"
• Next in thread: AdebolaA@mtnnigeria.net: "RE: AAA config On PIX firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:45 GMT-3