MYOEY 10 Posted April 12, 2007 Report Share Posted April 12, 2007 Moin Moin, Mit welchen Befehlen kann ich eine PIX515 dazu bringen, die Authentification der users (via ssh, telnet,...) über den TACACS-Server auszuhandeln und die Administrationsaktivitäten auf dem TACACS-Server zu protokollieren? Momentan wird alles lokal authentifiziert und die Administrationsaktivitäten nicht auf dem TACACS protokolliert. Folgendes ist momentan drauf: aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa-server My-TACACS protocol tacacs+ aaa-server My-TACACS max-failed-attempts 3 aaa-server My-TACACS deadtime 10 aaa-server My-TACACS (inside) host x.x.x.x [key string] timeout 10 aaa authentication telnet console LOCAL aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL Ich wäre für jede Antwort dankbar Gruß MYOEY Quote Link to comment
onedread 10 Posted April 12, 2007 Report Share Posted April 12, 2007 Hi Ich glaub ich hab da was für dich. Configure AAA Authenticated SSH |Sample Config| Complete these steps to configure AAA authenticated SSH: 1. Make sure you can Telnet to PIX with AAA on but without SSH: aaa-server AuthOutbound protocol radius (or tacacs+) aaa authentication telnet console AuthOutbound aaa-server AuthOutbound host 172.18.124.111 cisco Note: When SSH is configured, the telnet 172.18.124.114 255.255.255.255 command is not needed because the ssh 172.18.124.114 255.255.255.255 inside is issued on the PIX. Both commands are included for testing purposes. 2. Add SSH using these commands: hostname goss-d3-pix515b domain-name rtp.cisco.com ca gen rsa key 1024 !--- Caution: The RSA key is not be saved without !--- the ca save all command. !--- The write mem command does not save it. !--- In addition, if the PIX has undergone a write erase !--- or has been replaced, then cutting and pasting !--- the old configuration does not generate the key. !--- You must re-enter the ca gen rsa key command. !--- If there is a secondary PIX in a failover pair, the write standby !--- command does not copy the key from the primary to the secondary. !--- You must also generate and save the key on the secondary device. ssh 172.18.124.114 255.255.255.255 inside ssh timeout 60 aaa authen ssh console AuthOutbound logging trap debug logging console debug mfg onedread Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.