cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1290
Views
15
Helpful
9
Replies

PIX and FreeRADIUS

owais.ahsan
Level 1
Level 1

Hi,

I have a PIX 515E 6.3(5). Currently i am using the local PIX database to authenticate the Remote Access VPN users. I would now like to authenticate and authorize users with a AAA server. I already have FreeRADIUS installed and tested on my network.

Could anyone please assist me in configuring the PIX to use the FreeRADIUS for authentication and authorization.

thanks.

9 Replies 9

Thanks Prem,

I went through the document, it was good help but it only demonstrates authentication, my main concern is authorization.

Can you please provide me with details on authorization?

Thanx in advance.

Thanks Prem,

I went through the document, it was good help but it only demonstrates authentication, my main concern is authorization.

Can you please provide me with details on authorization?

Thanx in advance.

Hi,

"Authorization" available on ASA under tunnel-group is used for Remote Access VPN when we are using Certificates (correct me if I am wrong).

Otherwise if you are looking for something like downloadable ACL's etc, that works with "authentication" being specified.

Get things working with authentication first. Also, any specific requirement, as why you need authorization as well for Remote Access VPN?

Regards,

Prem

Hi Prem,

Thanx again for your reply. I have an application server that is running on a specific tcp port. Business partners and clients access that port through Site - to - Site and remote access VPN. My concerns are about the remote access VPN clients, if i am using PIX 515E 6.3(5) how can i restrict the clients to use only that specific host, hence the need for the authorization, yes, RADIUS is definitely an overkill right now for me, but it is a step in the right direction, as more and more partners and clients are required access to the application.

Correct me if i am wrong,

Thanx again,

Hi,

What you are looking for is know as Downloadable IP ACLs, you do not need to configure any authorization command on the device. You simply need authentication, when a remote Access VPN user connects with the firewall, and if we have downloadable IP acls configured, it will get downloaded for that client dynamically. And user access to the network can be governed using that.

Downloadable IP ACLs

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp696775

Try that out and let me know,

Prem

Hi,

And yes, as you are using FreeRadius server, then you would be required to use cisco av pair to get the acls downloaded on per user/group basis.

Regards,

Prem

Hi,

Thanx prem, I got it to authenticate and authorize through FreeRADIUS, but instead of using downloadable ACLs i used local ACLs configured on the PIX and it works great. The FreeRADIUS sends the name of the ACL using the "Filter-Id" attribute.

I would like to achieve this by using downloadable ACLs though, but the procedure it not really very clear, would be glad if you would shed some light on that.

Thanx again.

Hi,

Check this whole section out, it will give you ample idea on how to configure downloadable ACLs,

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/fwaaa.htm#wp1043588

Regards,

Prem

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: