Tacacs+, Cisco PIX and enable password

[Saeed42]

We use Tacacs to authenticate SSH connections to the firewall and use the local enable password to go into enable mode, now we wanted to use the Tacacs for enable as well just like we do with our routers, but this is proofing to be difficult to say the least, as soon as I setup enable to be authenticated from the Tacacs I keep getting authentication failure, I've checked the logs on the tacacs and there's nothing there to indicate what is going on, I also enabled "deb aaa authentication" and this was no help at all as it only produces the following error "308001: PIX console enable password incorrect for 3 tries (from ssh (remote xxx.xxx.xxx.xxx))", so any help would be immensely appreciated


PIX config
aaa-server Auth protocol tacacs+
aaa-server Auth (outside) host xxx.xxx.xxx.xxx xxxxxxxxxxxxx timeout 5
aaa authentication ssh console Auth
aaa authentication enable console Auth

Tacacs Config
user = fred {
login = cleartext password
member = password
}

Info
OS Red Hat 9
tac_plus-F4.0.3.alpha-9a
Cisco PIX Firewall Version 6.3(1)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[308win]

I swear that I used to have the same problem as you, my pix only had authentication on the SSH, however I just tried authentication with enable and it now works.

I'm running 6.1(3) on the pix as you are, but tacacs is on a win 2000 server, thats looks like the only difference.

 

[Saeed42]

Any ideas


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~