RE: AAA config On PIX firewall

From: Christopher M. Heffner (cheffner@certified-labs.com)
Date: Sat Sep 18 2004 - 22:15:09 GMT-3

Next message: Marcus: "ISDN switch S0 ports"
Previous message: john matijevic: "RE: RE : NAT"
Maybe in reply to: AdebolaA@mtnnigeria.net: "AAA config On PIX firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

NTD,

Thanks!

I was personally referring to the command line syntax that will be available
in the PIX 7.0 IOS code some time next year.

One of the other guys mentioned that it was available in 6.3.4 IOS yesterday
too.

We run the 6.3.3 IOS code for the Cisco PIX Firewall code so I had not seen
that yet but will update my code on my production pix to 6.3.4 next week to
start looking at the new commands available.

One of the cool commands available in 6.3.4 in the capability to now have
subinterfaces on the PIX 506E.

Cool man.

Later and thanks again for the update.

Christopher M. Heffner, CCIE 8211, CCSI 98760
Certified Labs, Inc.

http://http://www.certified-labs.com/

"Complete CCIE Routing & Switching, CCIE Security including PIX, IDS, VPN,
CiscoWorks 2000, Dual 3550 Switches, ATM, Cisco ACS for NT, Microsoft CA"

From: NTD
Sent: Sat 9/18/2004 6:56 PM
To: AdebolaA@mtnnigeria.net; cheffner@certified-labs.com;
ccielab@groupstudy.com
Cc: security@groupstudy.com
Subject: RE: AAA config On PIX firewall

Hi,

What version are you using for the PIX? if you are using 6.3.4 there is a
fallback like router.

Bests Regards,
NTD

AdebolaA@mtnnigeria.net wrote:
Thanks Chris. I guess my referring to the solution as a fallback is
misleading. However I was looking for a way in into the PIX when the AAA is
not available, when I realised the PIX did not have a fallback like the
router. Still I discovered that you could not use the pix username and
enable pasword option if the AAA is available. The PIX won't allow you. In a
sense that satisfies me for now as I can be as secure as possible if I can
assure physical access control to the PIX rack.

-----Original Message-----
From: Christopher M. Heffner [mailto:cheffner@certified-labs.com]
Sent: 17 September 2004 01:03
To: Adebola Adegbonmire [ MTN - UBA ]; ccielab@groupstudy.com
Cc: >security@groupstudy.com
Subject: RE: AAA config On PIX firewall

Just to let you know that the link is not the solution to your problem.

It will not be the fall back for AAA but it will be used instead of AAA.

The pix currently does not support multiple methods like the router does.

What you have done is change the local policy from AAA to local only.

There is a backdoor in the PIX operating system

Setup the serial login authentication for tacacs or radius like you normally
would.

If tacacs is up and running then use your normal user id and password for
authentication.

If tacacs fails and you can not login then use the user id of pix and the
password will be the enable password.

This is the backdoor.

PIX 7.0 code will fix this issue in which you be able to define tacacs as
method 1 and then define LOCAL as your second method.

Hope this helps.

Later.

Christopher M. Heffner, CCIE 8211, CCSI 98760
Certifed Labs

http:// http://www.certified-labs.com/

"Complete CCIE and CCNP Certification Rental Racks including CCIE R&S and
Security with PIX, VPN, IDS, CiscoWorks 2000 VMS, Cisco Secure ACS and
Microsoft CA"

_____

From: AdebolaA@mtnnigeria.net
Sent: Thu 9/16/2004 7:26 AM
To: ccielab@groupstudy.com
Subject: RE: AAA config On PIX firewall

Thanks group,

I have found solution in the link

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref

/ab.htm#wp1111727

-----Original Message-----

From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of

Adebola Adegbonmire [ MTN - UBA ]

Sent: 16 September 2004 12:04

To: ccielab@groupstudy.com

Subject: AAA config On PIX firewall