06-07-2007 02:59 AM - edited 03-10-2019 03:12 PM
Hi,
I have a PIX 515E 6.3(5). Currently i am using the local PIX database to authenticate the Remote Access VPN users. I would now like to authenticate and authorize users with a AAA server. I already have FreeRADIUS installed and tested on my network.
Could anyone please assist me in configuring the PIX to use the FreeRADIUS for authentication and authorization.
thanks.
06-07-2007 04:10 AM
Hi,
Go through these two links,
Above links are with IAS, but will help you understand the concept.
Regards,
Prem
06-07-2007 04:45 AM
Thanks Prem,
I went through the document, it was good help but it only demonstrates authentication, my main concern is authorization.
Can you please provide me with details on authorization?
Thanx in advance.
06-07-2007 04:47 AM
Thanks Prem,
I went through the document, it was good help but it only demonstrates authentication, my main concern is authorization.
Can you please provide me with details on authorization?
Thanx in advance.
06-07-2007 05:59 AM
Hi,
"Authorization" available on ASA under tunnel-group is used for Remote Access VPN when we are using Certificates (correct me if I am wrong).
Otherwise if you are looking for something like downloadable ACL's etc, that works with "authentication" being specified.
Get things working with authentication first. Also, any specific requirement, as why you need authorization as well for Remote Access VPN?
Regards,
Prem
06-09-2007 09:19 PM
Hi Prem,
Thanx again for your reply. I have an application server that is running on a specific tcp port. Business partners and clients access that port through Site - to - Site and remote access VPN. My concerns are about the remote access VPN clients, if i am using PIX 515E 6.3(5) how can i restrict the clients to use only that specific host, hence the need for the authorization, yes, RADIUS is definitely an overkill right now for me, but it is a step in the right direction, as more and more partners and clients are required access to the application.
Correct me if i am wrong,
Thanx again,
06-09-2007 11:31 PM
Hi,
What you are looking for is know as Downloadable IP ACLs, you do not need to configure any authorization command on the device. You simply need authentication, when a remote Access VPN user connects with the firewall, and if we have downloadable IP acls configured, it will get downloaded for that client dynamically. And user access to the network can be governed using that.
Downloadable IP ACLs
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp696775
Try that out and let me know,
Prem
06-10-2007 11:54 AM
Hi,
And yes, as you are using FreeRadius server, then you would be required to use cisco av pair to get the acls downloaded on per user/group basis.
Regards,
Prem
06-12-2007 09:50 PM
Hi,
Thanx prem, I got it to authenticate and authorize through FreeRADIUS, but instead of using downloadable ACLs i used local ACLs configured on the PIX and it works great. The FreeRADIUS sends the name of the ACL using the "Filter-Id" attribute.
I would like to achieve this by using downloadable ACLs though, but the procedure it not really very clear, would be glad if you would shed some light on that.
Thanx again.
06-13-2007 09:07 PM
Hi,
Check this whole section out, it will give you ample idea on how to configure downloadable ACLs,
Regards,
Prem
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: