PIX backdoor login

- Y
- yellow
  
  Contact options for registered users
posted
16 years ago

Wed, Jan 9, 2008 8:49 AM

I've a PIX 506 with OS 6.3.5. I set the PIX using Tacacs authentication. If the PIX lost connection to the TACACS, will it failover to local authentication, i.e. using local enable password ?

Here's current config aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server ADMIN_In protocol tacacs+ aaa-server ADMIN_In (inside) host xx timeout 15 aaa-server ADMIN_In (inside) host xx timeout 15 aaa authentication serial console ADMIN_In aaa authentication ssh console ADMIN_In aaa authentication telnet console ADMIN_In telnet xx xx inside telnet timeout 30 ssh xx xx inside ssh timeout 30 console timeout 30

- B
- Brian V
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Wed, Jan 9, 2008 2:55 PM

No, it will fail the way you have it, it is not pointing to local if the TACACS fails. Need to add "LOCAL" after all the ADMIN_In's. I.E: aaa authentication telnet console ADMIN_In LOCAL

- R
- reynoldsge
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Fri, Jan 11, 2008 5:36 AM

On my PIX 515's (6.3.3) using the 'local' failover option with TACACS, when TACACS is inaccessible the only want to login is with username "pix" and the enable password.

Gavin Reynolds Perth, Australia