ACS on outside Interface in Cisco

ACS on outside Interface in Cisco http://www.dslreports.com/forum/r20510927 en Wed, 20 Aug 2008 23:34:28 EDT Wed, 20 Aug 2008 23:34:28 EDT Re: ACS on outside Interface http://www.dslreports.com/forum/remark,20516457 aryoba :

said by wasiim

:

thanks for the reply, but i m concern about the fact that what will happen when tacacs will unavailable, i will not able to login even via console, that is why i m configuring the local command set in case if ACS down, at least i will be able to get in.

That's the reason why you need to issue aaa authentication serial console TACACS+ LOCAL. When you or somebody console in, the person will authenticate with TACACS+ server when the server is available. When the server is unavailable, the person will authenticate locally.

If you want, you can do some testing by power down or disconnect your TACACS+ server off the network. You can then verify the authentication behavior when TACACS+ server is available and when it is unavailable.]]> http://www.dslreports.com/forum/remark,20516457 Wed, 21 May 2008 09:41:00 EDT Re: ACS on outside Interface http://www.dslreports.com/forum/remark,20513845 wasiim : thanks for the reply, but i m concern about the fact that what will happen when tacacs will unavailable, i will not able to login even via console, that is why i m configuring the local command set in case if ACS down, at least i will be able to get in.

Please correct me, I will use command authorization service only from tacacs which i m using already and it is working fine for me. If ACS will goes down, what will happen, I wil able to login bcz of this command
aaa authentication serial console tacacs+ local

how the command authorization will react at that time. ]]> http://www.dslreports.com/forum/remark,20513845 Tue, 20 May 2008 18:33:18 EDT Re: ACS on outside Interface http://www.dslreports.com/forum/remark,20513293 aryoba : Why do you set such privilege command list on your PIX? That would beat the purpose of having TACACS+ server, wouldn't it? :)

Set those command restriction on your TACACS+ server instead since it is TACACS+ server's job to decide whether specific command is approved for specific user under specific privilege level.]]> http://www.dslreports.com/forum/remark,20513293 Tue, 20 May 2008 16:44:08 EDT Re: ACS on outside Interface http://www.dslreports.com/forum/remark,20513273 aryoba : Set serial authentication to use your TACACS+ server as primary and use LOCAL as backup; just like ssh and enable authentication. This way you should be able to authenticate with your TACACS+ server (or to authenticate locally if the TACACS+ server is unreachable) when console in.]]> http://www.dslreports.com/forum/remark,20513273 Tue, 20 May 2008 16:41:34 EDT Re: ACS on outside Interface http://www.dslreports.com/forum/remark,20513102 wasiim : Problem solved, i removed the device and again add it and it is working fine now, but one more problem arise, and that is i m not able to console my firewall, i have applied the command authorization and it is working fine for me, but i m not able to console my device. I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.

aa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (edn) host 172.28.31.132
aaa-server TACACS+ (edn) host 172.28.31.133
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+

but i m not able to login i m getting following eror

Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> enable
Command authorization failed

i also defined the local command authorization set like this

privilege cmd level 15 mode exec command exit
privilege show level 5 mode exec command running-config
privilege show level 15 mode exec command version
privilege show level 0 mode exec command access-list
privilege show level 0 mode configure command access-list
privilege cmd level 15 mode configure command exit
privilege cmd level 15 mode configure command no
privilege cmd level 0 mode configure command access-list
privilege cmd level 15 mode interface command exit
privilege cmd level 15 mode subinterface command exit
privilege cmd level 15 mode dynupd-method command exit
privilege cmd level 15 mode trange command exit
privilege cmd level 15 mode route-map command exit
privilege cmd level 15 mode router command exit
privilege cmd level 15 mode ldap command exit
privilege cmd level 15 mode aaa-server-host command exit
privilege cmd level 15 mode aaa-server-group command exit
privilege cmd level 15 mode context command exit
privilege cmd level 15 mode group-policy command exit
privilege cmd level 15 mode username command exit
privilege cmd level 15 mode tunnel-group-general command exit
privilege cmd level 15 mode tunnel-group-ipsec command exit
privilege cmd level 15 mode tunnel-group-ppp command exit
privilege cmd level 15 mode mpf-class-map command exit
privilege cmd level 15 mode mpf-policy-map command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-param command exit

Please tell me how to solve this problem ]]> http://www.dslreports.com/forum/remark,20513102 Tue, 20 May 2008 16:13:38 EDT Re: ACS on outside Interface http://www.dslreports.com/forum/remark,20511050 aryoba : The AAA commands you posted looked fine. Therefore I don't believe the problem lies on the AAA commands themselves. The problem might be the NAT or route statement.

Keep in mind that your ACS 172.28.x.x IP address is located outside. Therefore the PIX routing table should have the IP address accessible toward outside interface and not inside interface. As to NAT, you may need to implement no NAT statement to avoid NAT between inside and outside in order to authenticate with outside TACACS server.]]> http://www.dslreports.com/forum/remark,20511050 Tue, 20 May 2008 10:27:34 EDT ACS on outside Interface http://www.dslreports.com/forum/remark,20510927 wasiim : I have pix 535, i want to configure it for ACS authentication, but problem is that, users tries to login from inside interface and ACS located on outside interface of pix firewall.

I have configured the following commands but still not able to get the authentication,

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host 172.28.x.x x.x.x
aaa-server TACACS+ (outside) host 172.28.x. xx
aaa authentication ssh console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+

same configuration is working fine for me with rest of the firewalls of my network bcz ACS and users are located on the same interface side, only this firewall is having problem.

Firewall is not having any thing like source interface like routers have.

Please help me out. ]]> http://www.dslreports.com/forum/remark,20510927 Tue, 20 May 2008 10:00:04 EDT