Firewall/RADIUS/LDAP

Answered Question
Mar 12th, 2007
User Badges:

Hi,

Someone please help me with ip authentication proxy.


In the firewall, there is two acls. One is for authentication and one is for access. When you try to access a system behind the firewall, you are required to enter username and password for authentication if you are permit in the authentication acl. The firewall then query RADIUS servers. The RADIUS server then query LDAP servers to verify username and password. My question is what information is returned to the RADIUS server if the username and password are valid and invalid? What information is returned to the Firewall?



Thanks.



Correct Answer by Vivek Santuka about 10 years 1 month ago

Hi,


Yes you are correct.


Regards,

Vivek

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Vivek Santuka Mon, 03/12/2007 - 11:27
User Badges:
  • Cisco Employee,

Hi,


ACS gets authentication status (pass or fail) and group mapping from LDAP.


ACS then return Access Accept/Reject and any attributes you would have configured on the user profile/group profile to the Firewall.


Regards,

Vivek

nguyenvinht Mon, 03/12/2007 - 11:52
User Badges:

Thanks. If the Radius returns access-accept and attributes to the firewall? Are these attributes dynamically added to the access acl? How are these attributes return to the firewall specifically? The firewall has two acls. One for controlling authentication and one for controlling access.

Vivek Santuka Mon, 03/12/2007 - 12:01
User Badges:
  • Cisco Employee,

Hi,


If you have defined a downloadable ACL on the Radius server then it will be pushed to the firewall and will get added to the "access" acl.


When the uauth expires/gets cleared the dynamic acl entry will be removed.


The attributes are push as AV Pairs the Access-Accept Radius packet.


Downloadable ACLs are not the only attributes you can push. There are many such as timeout etc.


Try debug radius on the firewall to see the AV pairs.


Regards,

Vivek

nguyenvinht Mon, 03/12/2007 - 13:17
User Badges:

Hi Vivek,


If I don't define any downloadable ACL on the Radius server, only authentication only attributes, will source ip, destination ip, and traffic types checked against my "access= list 105" acl? Or bypass the "access" acl if I am authenticated and check against the "access" acl if I am not authenticated. Help me clear out this concept.


Thanks.


Some main configuration:

ip auth-proxy name NAME http list 120

interface FastEthernet0/0

ip address x x

ip access-group 105 in

ip auth-proxy NAME


ip http server

ip http authentication aaa

Vivek Santuka Mon, 03/12/2007 - 13:34
User Badges:
  • Cisco Employee,

Hi,


After authentication the traffic will be checked against ACL 105. It iwll not bypass it.


Even when you have downloadble ACLs, they get appended to the access acl.


Regards,

Vivek

nguyenvinht Mon, 03/12/2007 - 13:46
User Badges:

Thanks.

So it is possible to define a profile in the Radius Server to query LDAP server for authentication only (access-accept with session timeout) and uses "access list 105" to control source ip, dest ip, and traffic type?


Correct Answer
Vivek Santuka Tue, 03/13/2007 - 06:19
User Badges:
  • Cisco Employee,

Hi,


Yes you are correct.


Regards,

Vivek

Actions

This Discussion