Dynamically Assigning Firewall Rules with Radius

Unanswered Question
Jul 26th, 2007


I would like to controll traffic from LAN to outside using PIX-FW and Radius. I have found these links which describes the method of controlling access using Radius attributes mapped to users or Groups in Active Directory. What i understood is that the user should be first authenticated through HTTP,FTP or Telnet and then the username sent in the Authentication Process will be used to map the accesslist configured on the PIX.


Is that correct, the user should authenticate first through HTTP,FTP or TELNT ?


Ist there any way to use the credentials that user have used to login to the Client during the login process(Windows Clients).



Thanks for replaying.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rochopra Thu, 07/26/2007 - 15:51


Ans 1. Pix provides Authentication for pass through traffic from the pix(traffic which enters on one interface and exits on another interface) and by default authenticates Http, Telnet, FTP, you can also authenticate udp and tcp traffic passing through firewall.

for any non standard port you can do authentication through virtual telnet feature available on pix.

Ans 2. You cannot use credentials cached at the time of login to windows, because pix will only prompt for authentication once to try to send some traffic outside of pix. You can enter same username password again though and tell radius to talk to AD for authentication.

Following link can be helpful for limiting access :


Hope this helps.



giaaaj Fri, 07/27/2007 - 04:05

Hi Rohit,

Thanks for replying.

After the user login and get authenticated by the radius and the ACL is activated.

- What will happen if the user logs out. Will the pix notice that and how ? and what will habppen to the ACL.

Thanks in advance.

rochopra Fri, 07/27/2007 - 09:09


These ACL's are user specific, so as soon as user logs off or disconnects the connection, the ACL's are removed dynamically, so now next time whenever user tries to access the service again, he will need to authenticate and ACL's will be downloaded fresh.



giaaaj Mon, 08/13/2007 - 22:31


Is there any way to automate the authentication issue, i mean that the user will not give the credentials in an interactive way. Some thing like a service or program that answers the authentication request from the pix by using the cashed windows login information.


This Discussion



Trending Topics - Security & Network