When configuring the command authorization feature, do not save the
configuration until it works the way that it is required to. If an
administrator gets locked out of the PIX Security Appliance, they can usually
recover access by simply reloading it. If the configuration has already been
saved, and authentication using the LOCAL database has been configured but no
usernames have been configured, a lockout problem is created. A lockout problem
can also be encountered when configuring command authorization using a TACACS+
server if the TACACS+ server is unavailable, down, or misconfigured
.
If Access
to the PIX Security Appliance cannot be recovered by restarting the PIX, use a
web browser to access the following website:
http://www.cisco.com/ warp/customer/110/34.shtml
This website provides a downloadable
file with instructions for using it to remove the lines in the PIX Security
Appliance configuration that enable authentication and cause the lockout
problem
. If
there are Telnet or console aaa authentication commands in
PIX Security Appliance Software Versions 6.2 and greater, the system will also
prompt to remove these.
 |
NOTE:
If AAA has been configured on the PIX Security Appliance, and the AAA
server is down, The PIX Security Appliance can be accessed by entering the
Telnet password initially, and then pix as the username and
the enable password for the password. If there is no enable
password in the PIX configuration, enter pix for the
username and press ENTER. If the enable and Telnet
passwords are set but not known, it will be necessary continue with the
password recovery process.
|
The PIX Password Lockout Utility is based on the PIX Security
Appliance software version that is running. Use one of the following files,
depending on the PIX software in use:
- np63.bin (6.3 version)
- np62.bin (6.2 version)
- np61.bin (6.1 version)
- np60.bin (6.0 version)
- np53.bin (5.3 version)
- np52.bin (5.2 version)
- np51.bin (5.1 version)
A different type of lockout problem can be encountered when the
aaa authorization command and tacacs-server-tag
argument are used, and the administrator is not logged in as the correct user.
For every command that is entered, the PIX Security Appliance displays the
following message:
Command Authorization failed
This
occurs because the TACACS+ server does not have a user profile for the user
account that was used for logging in. To prevent this problem, make sure that
the TACACS+ server has all of the users configured with the commands that they
can execute. Also make sure to be logged in as a user with the required profile
on the TACACS+ server.
 |
NOTE:
Password recovery for PIX Security Appliance versions through 6.3
requires a TFTP server.
|