RE: AAA config On PIX firewall

From: AdebolaA@mtnnigeria.net
Date: Fri Sep 17 2004 - 04:18:07 GMT-3

• Next message: Joe Rothstein: "Re: BGP reachablilty continued...."
• Previous message: john matijevic: "RE: BGP reachablilty continued...."
• Maybe in reply to: AdebolaA@mtnnigeria.net: "AAA config On PIX firewall"
• Next in thread: NTD: "RE: AAA config On PIX firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Chris. I guess my referring to the solution as a fallback is
misleading. However I was looking for a way in into the PIX when the AAA is
not available, when I realised the PIX did not have a fallback like the
router. Still I discovered that you could not use the pix username and
enable pasword option if the AAA is available. The PIX won't allow you. In a
sense that satisfies me for now as I can be as secure as possible if I can
assure physical access control to the PIX rack.

-----Original Message-----
From: Christopher M. Heffner [mailto:cheffner@certified-labs.com]
Sent: 17 September 2004 01:03
To: Adebola Adegbonmire [ MTN - UBA ]; ccielab@groupstudy.com
Cc: >security@groupstudy.com
Subject: RE: AAA config On PIX firewall

Just to let you know that the link is not the solution to your problem.
 
It will not be the fall back for AAA but it will be used instead of AAA.
 
The pix currently does not support multiple methods like the router does.
 
What you have done is change the local policy from AAA to local only.
 
There is a backdoor in the PIX operating system
 
Setup the serial login authentication for tacacs or radius like you normally
would.
 
If tacacs is up and running then use your normal user id and password for
authentication.
 
If tacacs fails and you can not login then use the user id of pix and the
password will be the enable password.
 
This is the backdoor.
 
PIX 7.0 code will fix this issue in which you be able to define tacacs as
method 1 and then define LOCAL as your second method.
 
Hope this helps.
 
Later.
 
Christopher M. Heffner, CCIE 8211, CCSI 98760
Certifed Labs
 
http:// http://www.certified-labs.com/ <http://www.certified-labs.com/>
 
"Complete CCIE and CCNP Certification Rental Racks including CCIE R&S and
Security with PIX, VPN, IDS, CiscoWorks 2000 VMS, Cisco Secure ACS and
Microsoft CA"

   _____

From: AdebolaA@mtnnigeria.net
Sent: Thu 9/16/2004 7:26 AM
To: ccielab@groupstudy.com
Subject: RE: AAA config On PIX firewall

Thanks group,

I have found solution in the link

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref

/ab.htm#wp1111727

-----Original Message-----

From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of

Adebola Adegbonmire [ MTN - UBA ]

Sent: 16 September 2004 12:04

To: ccielab@groupstudy.com

Subject: AAA config On PIX firewall

Hi group,

I am trying to setup a PIX firewall with enable, Telnet, console access

authentication via a Cisco ACS server. That is not a problem it works fine.

However, I need to have a fallback for when no ACS server is available and I

want to use locally defined passwords with a username or without a username

(which is possible). I can't seem to get this right. Wondering if the PIX

allows this or I am not configuring it right?

Any help will be appreciated.

Bola

NOTE: This e-mail message is subject to the MTN Nigeria disclaimer see

http://www.mtnonline.com/contact/disclaimer.asp

• Next message: Joe Rothstein: "Re: BGP reachablilty continued...."
• Previous message: john matijevic: "RE: BGP reachablilty continued...."
• Maybe in reply to: AdebolaA@mtnnigeria.net: "AAA config On PIX firewall"
• Next in thread: NTD: "RE: AAA config On PIX firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:45 GMT-3