03-12-2007 10:21 AM - edited 03-10-2019 03:02 PM
Hi,
Someone please help me with ip authentication proxy.
In the firewall, there is two acls. One is for authentication and one is for access. When you try to access a system behind the firewall, you are required to enter username and password for authentication if you are permit in the authentication acl. The firewall then query RADIUS servers. The RADIUS server then query LDAP servers to verify username and password. My question is what information is returned to the RADIUS server if the username and password are valid and invalid? What information is returned to the Firewall?
Thanks.
Solved! Go to Solution.
03-13-2007 06:19 AM
03-12-2007 11:27 AM
Hi,
ACS gets authentication status (pass or fail) and group mapping from LDAP.
ACS then return Access Accept/Reject and any attributes you would have configured on the user profile/group profile to the Firewall.
Regards,
Vivek
03-12-2007 11:52 AM
Thanks. If the Radius returns access-accept and attributes to the firewall? Are these attributes dynamically added to the access acl? How are these attributes return to the firewall specifically? The firewall has two acls. One for controlling authentication and one for controlling access.
03-12-2007 12:01 PM
Hi,
If you have defined a downloadable ACL on the Radius server then it will be pushed to the firewall and will get added to the "access" acl.
When the uauth expires/gets cleared the dynamic acl entry will be removed.
The attributes are push as AV Pairs the Access-Accept Radius packet.
Downloadable ACLs are not the only attributes you can push. There are many such as timeout etc.
Try debug radius on the firewall to see the AV pairs.
Regards,
Vivek
03-12-2007 01:17 PM
Hi Vivek,
If I don't define any downloadable ACL on the Radius server, only authentication only attributes, will source ip, destination ip, and traffic types checked against my "access= list 105" acl? Or bypass the "access" acl if I am authenticated and check against the "access" acl if I am not authenticated. Help me clear out this concept.
Thanks.
Some main configuration:
ip auth-proxy name NAME http list 120
interface FastEthernet0/0
ip address x x
ip access-group 105 in
ip auth-proxy NAME
ip http server
ip http authentication aaa
03-12-2007 01:34 PM
Hi,
After authentication the traffic will be checked against ACL 105. It iwll not bypass it.
Even when you have downloadble ACLs, they get appended to the access acl.
Regards,
Vivek
03-12-2007 01:46 PM
Thanks.
So it is possible to define a profile in the Radius Server to query LDAP server for authentication only (access-accept with session timeout) and uses "access list 105" to control source ip, dest ip, and traffic type?
03-13-2007 06:19 AM
Hi,
Yes you are correct.
Regards,
Vivek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide