aryoba
Premium,MVM
join:2002-08-22
| reply to wasiim
Re: ACS on outside Interface
Why do you set such privilege command list on your PIX? That would beat the purpose of having TACACS+ server, wouldn't it? 
Set those command restriction on your TACACS+ server instead since it is TACACS+ server's job to decide whether specific command is approved for specific user under specific privilege level. |
|
wasiim
join:2008-03-12
| thanks for the reply, but i m concern about the fact that what will happen when tacacs will unavailable, i will not able to login even via console, that is why i m configuring the local command set in case if ACS down, at least i will be able to get in.
Please correct me, I will use command authorization service only from tacacs which i m using already and it is working fine for me. If ACS will goes down, what will happen, I wil able to login bcz of this command
aaa authentication serial console tacacs+ local
how the command authorization will react at that time. |
|
aryoba
Premium,MVM
join:2002-08-22
| said by wasiim  :thanks for the reply, but i m concern about the fact that what will happen when tacacs will unavailable, i will not able to login even via console, that is why i m configuring the local command set in case if ACS down, at least i will be able to get in. That's the reason why you need to issue aaa authentication serial console TACACS+ LOCAL. When you or somebody console in, the person will authenticate with TACACS+ server when the server is available. When the server is unavailable, the person will authenticate locally.
If you want, you can do some testing by power down or disconnect your TACACS+ server off the network. You can then verify the authentication behavior when TACACS+ server is available and when it is unavailable. |
|
