wasiim
join:2008-03-12
| reply to aryoba
Re: ACS on outside Interface
Problem solved, i removed the device and again add it and it is working fine now, but one more problem arise, and that is i m not able to console my firewall, i have applied the command authorization and it is working fine for me, but i m not able to console my device. I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
aa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (edn) host 172.28.31.132
aaa-server TACACS+ (edn) host 172.28.31.133
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
but i m not able to login i m getting following eror
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> enable
Command authorization failed
i also defined the local command authorization set like this
privilege cmd level 15 mode exec command exit
privilege show level 5 mode exec command running-config
privilege show level 15 mode exec command version
privilege show level 0 mode exec command access-list
privilege show level 0 mode configure command access-list
privilege cmd level 15 mode configure command exit
privilege cmd level 15 mode configure command no
privilege cmd level 0 mode configure command access-list
privilege cmd level 15 mode interface command exit
privilege cmd level 15 mode subinterface command exit
privilege cmd level 15 mode dynupd-method command exit
privilege cmd level 15 mode trange command exit
privilege cmd level 15 mode route-map command exit
privilege cmd level 15 mode router command exit
privilege cmd level 15 mode ldap command exit
privilege cmd level 15 mode aaa-server-host command exit
privilege cmd level 15 mode aaa-server-group command exit
privilege cmd level 15 mode context command exit
privilege cmd level 15 mode group-policy command exit
privilege cmd level 15 mode username command exit
privilege cmd level 15 mode tunnel-group-general command exit
privilege cmd level 15 mode tunnel-group-ipsec command exit
privilege cmd level 15 mode tunnel-group-ppp command exit
privilege cmd level 15 mode mpf-class-map command exit
privilege cmd level 15 mode mpf-policy-map command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-param command exit
Please tell me how to solve this problem |
|
aryoba
Premium,MVM
join:2002-08-22
| Set serial authentication to use your TACACS+ server as primary and use LOCAL as backup; just like ssh and enable authentication. This way you should be able to authenticate with your TACACS+ server (or to authenticate locally if the TACACS+ server is unreachable) when console in. |
|
aryoba
Premium,MVM
join:2002-08-22
| reply to wasiim
Why do you set such privilege command list on your PIX? That would beat the purpose of having TACACS+ server, wouldn't it? 
Set those command restriction on your TACACS+ server instead since it is TACACS+ server's job to decide whether specific command is approved for specific user under specific privilege level. |
|
wasiim
join:2008-03-12
| thanks for the reply, but i m concern about the fact that what will happen when tacacs will unavailable, i will not able to login even via console, that is why i m configuring the local command set in case if ACS down, at least i will be able to get in.
Please correct me, I will use command authorization service only from tacacs which i m using already and it is working fine for me. If ACS will goes down, what will happen, I wil able to login bcz of this command
aaa authentication serial console tacacs+ local
how the command authorization will react at that time. |
|
aryoba
Premium,MVM
join:2002-08-22
| said by wasiim  :thanks for the reply, but i m concern about the fact that what will happen when tacacs will unavailable, i will not able to login even via console, that is why i m configuring the local command set in case if ACS down, at least i will be able to get in. That's the reason why you need to issue aaa authentication serial console TACACS+ LOCAL. When you or somebody console in, the person will authenticate with TACACS+ server when the server is available. When the server is unavailable, the person will authenticate locally.
If you want, you can do some testing by power down or disconnect your TACACS+ server off the network. You can then verify the authentication behavior when TACACS+ server is available and when it is unavailable. |
|
