Jump to content

Tacacs & Pix


Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Recommended Posts

Moin Moin,

Mit welchen Befehlen kann ich eine PIX515 dazu bringen, die Authentification der users (via ssh, telnet,...) über den TACACS-Server auszuhandeln und die Administrationsaktivitäten auf dem TACACS-Server zu protokollieren?

Momentan wird alles lokal authentifiziert und die Administrationsaktivitäten nicht auf dem TACACS protokolliert.

 

Folgendes ist momentan drauf:

 

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server My-TACACS protocol tacacs+

aaa-server My-TACACS max-failed-attempts 3

aaa-server My-TACACS deadtime 10

aaa-server My-TACACS (inside) host x.x.x.x [key string] timeout 10

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

 

 

 

 

 

Ich wäre für jede Antwort dankbar

 

 

Gruß

 

MYOEY

Link to comment

Hi

 

Ich glaub ich hab da was für dich.

 

 

 

Configure AAA Authenticated SSH

 

|Sample Config|

 

Complete these steps to configure AAA authenticated SSH:

 

1.

 

Make sure you can Telnet to PIX with AAA on but without SSH:

 

aaa-server AuthOutbound protocol radius (or tacacs+)

aaa authentication telnet console AuthOutbound

aaa-server AuthOutbound host 172.18.124.111 cisco

 

Note: When SSH is configured, the telnet 172.18.124.114 255.255.255.255 command is not needed because the ssh 172.18.124.114 255.255.255.255 inside is issued on the PIX. Both commands are included for testing purposes.

2.

 

Add SSH using these commands:

 

hostname goss-d3-pix515b

domain-name rtp.cisco.com

ca gen rsa key 1024

 

!--- Caution: The RSA key is not be saved without

!--- the ca save all command.

!--- The write mem command does not save it.

!--- In addition, if the PIX has undergone a write erase

!--- or has been replaced, then cutting and pasting

!--- the old configuration does not generate the key.

!--- You must re-enter the ca gen rsa key command.

!--- If there is a secondary PIX in a failover pair, the write standby

!--- command does not copy the key from the primary to the secondary.

!--- You must also generate and save the key on the secondary device.

 

ssh 172.18.124.114 255.255.255.255 inside

ssh timeout 60

aaa authen ssh console AuthOutbound

logging trap debug

logging console debug

 

mfg

onedread

Link to comment
Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...