Cisco Blog: PIX Authentication Using Local User Database (and Kiwi CatTools)
PIX Authentication Using Local User Database (and Kiwi CatTools)
So here's the scenario I ran into...I just set up a new client for managed network services (where my company (AdTEC Networks) is doing the management). This client happened to have some fairly technical people on staff who wanted privileged mode access to the PIX firewall. No problemo...that is, until I received phone calls with people screaming, "THE NETWORK IS DOWN!!!"
There I am, feeling a cold drip of sweat trickling down the side of my face, scrolling through a running config on a PIX firewall. Aha! Who put that command there?!?! After removing the 'mystery' NAT statement, the network magically works again...now who's to blame...
Of course, all my customer's network admins deny any responsibility, and since there's only a single username / password combination on the PIX (and enable password), there was no way of telling who was responsible. It's time for deeper authentication on the PIX firewall.
Three commands to make this happen:
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
Then create your user accounts using this syntax:
username user1 password TUgFoweE932kS0z encrypted privilege 15
username user2 password TUgFoweE932kS0z encrypted privilege 15
...and so on
Here's the powerful result: The users now log in using their own username (i.e. user1 and user2 in this case) rather than the generic "pix" and their own password. The ultra-cool thing (in my opinion) is that second command "aaa authentication enable console LOCAL" - it synchronizes the enable password with the user account, so the admin can use the same password for the SSH/Telnet session as they do to access enable mode. Sweet!
Last, but not least, pick up a copy of Kiwi CatTools. This AWESOME (and cheap - free for 5 devices) utility does configuration change management. Now, if the configuration changes, I get an email showing me what changed and who made the changes. Niiice
