PIX and FreeRADIUS

Unanswered Question
Jun 7th, 2007
User Badges:

Hi,

I have a PIX 515E 6.3(5). Currently i am using the local PIX database to authenticate the Remote Access VPN users. I would now like to authenticate and authorize users with a AAA server. I already have FreeRADIUS installed and tested on my network.

Could anyone please assist me in configuring the PIX to use the FreeRADIUS for authentication and authorization.

thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
owais.ahsan Thu, 06/07/2007 - 04:45
User Badges:

Thanks Prem,


I went through the document, it was good help but it only demonstrates authentication, my main concern is authorization.

Can you please provide me with details on authorization?

Thanx in advance.

owais.ahsan Thu, 06/07/2007 - 04:47
User Badges:

Thanks Prem,


I went through the document, it was good help but it only demonstrates authentication, my main concern is authorization.

Can you please provide me with details on authorization?

Thanx in advance.

Premdeep Banga Thu, 06/07/2007 - 05:59
User Badges:
  • Gold, 750 points or more

Hi,


"Authorization" available on ASA under tunnel-group is used for Remote Access VPN when we are using Certificates (correct me if I am wrong).


Otherwise if you are looking for something like downloadable ACL's etc, that works with "authentication" being specified.


Get things working with authentication first. Also, any specific requirement, as why you need authorization as well for Remote Access VPN?


Regards,

Prem

owais.ahsan Sat, 06/09/2007 - 21:19
User Badges:

Hi Prem,


Thanx again for your reply. I have an application server that is running on a specific tcp port. Business partners and clients access that port through Site - to - Site and remote access VPN. My concerns are about the remote access VPN clients, if i am using PIX 515E 6.3(5) how can i restrict the clients to use only that specific host, hence the need for the authorization, yes, RADIUS is definitely an overkill right now for me, but it is a step in the right direction, as more and more partners and clients are required access to the application.


Correct me if i am wrong,

Thanx again,

Premdeep Banga Sat, 06/09/2007 - 23:31
User Badges:
  • Gold, 750 points or more

Hi,


What you are looking for is know as Downloadable IP ACLs, you do not need to configure any authorization command on the device. You simply need authentication, when a remote Access VPN user connects with the firewall, and if we have downloadable IP acls configured, it will get downloaded for that client dynamically. And user access to the network can be governed using that.


Downloadable IP ACLs

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp696775


Try that out and let me know,

Prem

Premdeep Banga Sun, 06/10/2007 - 11:54
User Badges:
  • Gold, 750 points or more

Hi,


And yes, as you are using FreeRadius server, then you would be required to use cisco av pair to get the acls downloaded on per user/group basis.


Regards,

Prem

owais.ahsan Tue, 06/12/2007 - 21:50
User Badges:

Hi,


Thanx prem, I got it to authenticate and authorize through FreeRADIUS, but instead of using downloadable ACLs i used local ACLs configured on the PIX and it works great. The FreeRADIUS sends the name of the ACL using the "Filter-Id" attribute.

I would like to achieve this by using downloadable ACLs though, but the procedure it not really very clear, would be glad if you would shed some light on that.


Thanx again.




Actions

This Discussion