PIX Security Appliance Management
PIX Security Appliance password recovery

When configuring the command authorization feature, do not save the configuration until it works the way that it is required to. If an administrator gets locked out of the PIX Security Appliance, they can usually recover access by simply reloading it. If the configuration has already been saved, and authentication using the LOCAL database has been configured but no usernames have been configured, a lockout problem is created. A lockout problem can also be encountered when configuring command authorization using a TACACS+ server if the TACACS+ server is unavailable, down, or misconfigured .

If Access to the PIX Security Appliance cannot be recovered by restarting the PIX, use a web browser to access the following website: http://www.cisco.com/ warp/customer/110/34.shtml

This website provides a downloadable file with instructions for using it to remove the lines in the PIX Security Appliance configuration that enable authentication and cause the lockout problem . If there are Telnet or console aaa authentication commands in PIX Security Appliance Software Versions 6.2 and greater, the system will also prompt to remove these.

NOTE:

If AAA has been configured on the PIX Security Appliance, and the AAA server is down, The PIX Security Appliance can be accessed by entering the Telnet password initially, and then pix as the username and the enable password for the password. If there is no enable password in the PIX configuration, enter pix for the username and press ENTER. If the enable and Telnet passwords are set but not known, it will be necessary continue with the password recovery process.

The PIX Password Lockout Utility is based on the PIX Security Appliance software version that is running. Use one of the following files, depending on the PIX software in use:

  • np63.bin (6.3 version)
  • np62.bin (6.2 version)
  • np61.bin (6.1 version)
  • np60.bin (6.0 version)
  • np53.bin (5.3 version)
  • np52.bin (5.2 version)
  • np51.bin (5.1 version)

A different type of lockout problem can be encountered when the aaa authorization command and tacacs-server-tag argument are used, and the administrator is not logged in as the correct user. For every command that is entered, the PIX Security Appliance displays the following message:

Command Authorization failed

This occurs because the TACACS+ server does not have a user profile for the user account that was used for logging in. To prevent this problem, make sure that the TACACS+ server has all of the users configured with the commands that they can execute. Also make sure to be logged in as a user with the required profile on the TACACS+ server.

NOTE:

Password recovery for PIX Security Appliance versions through 6.3 requires a TFTP server.


Lab Activity

Lab Exercise: Perform Password Recovery on the PIX Security Appliance

In this lab exercise, students will learn to upgrade the PIX Security Appliance software image. Students will also learn to perform password recovery procedures.

Web Links