RE: Privileged mode access in a Pix

[Yang Lee <ylee () net50 com>]

Cisco provided a commercial tacacs+ server CiscoSecure Access Control 
Server. Also you can download a stripped-down tacacs+ daemon. I'll prefer 
the former simply you can get better support.

Anyway, something similiar as the following should work:

In Pix:
        ! Authorization
        aaa authorization exec default local group tacacs+      
        aaa authorization commands 1 default local group tacacs+
        ! valid only ACS offline
        aaa authorization commands 15 default local group tacacs+ if-
authenticated   

-----------------------------------------------------------------
In Tacacs+ server:
user  = test {
        profile_id = 113 
        set server current-failed-logins = 0 
        profile_cycle = 104 
        member = voiceng 
        password = clear "********" 
        service=exec {
                set priv-lvl=15
        } 
        service=shell {
                default cmd=permit
                allow "^192\.168\.110\.85$" ".*" ".*"
                refuse ".*" ".*" ".*"
        } 
 }
-------------------------------------------------------------

The code will work for IOS 12.0. I don't have a PIX in hand to test it out. 
Probably I'll get one later next week to try it out. May be you can publish 
your test result by then. Good luck.



> We are using TAC_PLUS from Cisco and we have defined different user
> profiles. The problem is that I can't configure the privileged level 15
> and access directly to the enable mode.
>
> All this is because there are users that can't know the enable
> password. In routers, they access with privileged level 15 directly to
> the privileged mode, and they only can type the commands specified in
> the TACACS. But in the PIX, they only have access to the unprivileged
> mode, so they can't do anything without the enable password.
>
> Do you know if it is possible with a Pix?
>
> Thanks in advance,
> Sonya
>
> -----Mensaje original-----
> De: Yang Lee [mailto:ylee () net50 com]
> Enviado el: martes, 19 de junio de 2001 3:49
> Para: sgilly () servicom2000 com
> CC: firewall-wizards () nfr com
> Asunto: Re: [fw-wiz] Privileged mode access in a Pix
>
>
> Modify the account user profile in tacacs+ server. What kind of tacacs+
> server you are using by the way?
>
> > I'm trying to configure authorization in a Pix. I have the following
> > commands in a Cisco router, but I haven't found the equivalence in Pix
> > configuration:
> >
> > aaa authorization exec default tacacs+ if-authenticated
> > aaa authorization commands 15 default tacacs+ if-authenticated
> >
> > I would like to access the Pix directly in privileged mode through
> > SSH, and limiting the enabled commands for different users in the
> > TACACS+ server.
> >
> > Do you know if this is possible in a Pix?   (The firewall version is
> > 5.3.1)
> >
> > Thanks in advance,
> > Sonya
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () nfr com
> > http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards