Accessing PIX using TACACS

[miker]

Have a very weird issue going on and can't figure out why. I'm using CiscoSecure for NT to provide TACACS for our routers/switches/firewalls. Currently have it setup to pull the username and password from the NT domain (single username and password makes administration easy). This works great on the routers, if you mistype your password, it fails, prompts again, enter it correctly, you're in. If you enter your password incorrectly 3 times, your NT account is disabled. This is what I want, works great. But when using this on the PIX firewall, you get 1 shot at logging in. If you incorrectly enter your password, your NT accound is disabled. Looking in the ACS log, I see where the PIX is sending 4 requests to the TACACS server. Well, on the 3rd send, the account is disabled. I (nor Cisco TAC) can figure out why the PIX is sending the login request for authentication 4 times to the TACACS server. Anyone else seen this and if so, is there a solution? Anyone else doing the same thing, using NT as the database and accessing your PIX through TACACS? Any help, suggestions, anything would be greatly appreciated.

Cisco SecureACS for NT version 2.6
PIX 515 firewall version 6.2(1)

 

[yizhar]

HI.

This is by design, see this quote:
"For example, if the timeout value is 10 seconds, PIX Firewall retransmits for 10 seconds and if no acknowledgment is received, tries three times more for a total of 40 seconds to retransmit data before the next AAA server is selected."

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#83356

If you don't find a way to disable the 4 retries at the pix (maybe a hidden undocumented option?), then a simple possible work around is to set account lockout to 10 instead of 3.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar