Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
0
Helpful
4
Replies

Dynamically Assigning Firewall Rules with Radius

giaaaj
Level 1
Level 1

‎07-26-2007 01:22 AM - edited ‎07-03-2021 02:23 PM

Hi,

I would like to controll traffic from LAN to outside using PIX-FW and Radius. I have found these links which describes the method of controlling access using Radius attributes mapped to users or Groups in Active Directory. What i understood is that the user should be first authenticated through HTTP,FTP or Telnet and then the username sent in the Authentication Process will be used to map the accesslist configured on the PIX.

Question1:

Is that correct, the user should authenticate first through HTTP,FTP or TELNT ?

Question2:

Ist there any way to use the credentials that user have used to login to the Client during the login process(Windows Clients).

http://www.giac.org/certified_professionals/practicals/GCWN/0224.php

http://www.cisco.com/en/US/docs/security/pix/pix61/configuration/guide/mngacl.pdf

Thanks for replaying.

Labels:
0 Helpful
4 Replies 4

rochopra
Cisco Employee
Cisco Employee

‎07-26-2007 03:51 PM

Hi

Ans 1. Pix provides Authentication for pass through traffic from the pix(traffic which enters on one interface and exits on another interface) and by default authenticates Http, Telnet, FTP, you can also authenticate udp and tcp traffic passing through firewall.

for any non standard port you can do authentication through virtual telnet feature available on pix.

Ans 2. You cannot use credentials cached at the time of login to windows, because pix will only prompt for authentication once to try to send some traffic outside of pix. You can enter same username password again though and tell radius to talk to AD for authentication.

Following link can be helpful for limiting access :

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd703.html#wp391230

Hope this helps.

Regards

Rohit

0 Helpful

giaaaj
Level 1
Level 1
In response to rochopra

‎07-27-2007 04:05 AM

Hi Rohit,

Thanks for replying.

After the user login and get authenticated by the radius and the ACL is activated.

- What will happen if the user logs out. Will the pix notice that and how ? and what will habppen to the ACL.

Thanks in advance.

0 Helpful

rochopra
Cisco Employee
Cisco Employee
In response to giaaaj

‎07-27-2007 09:09 AM

Hi,

These ACL's are user specific, so as soon as user logs off or disconnects the connection, the ACL's are removed dynamically, so now next time whenever user tries to access the service again, he will need to authenticate and ACL's will be downloaded fresh.

Regards

Rohit

0 Helpful

giaaaj
Level 1
Level 1
In response to rochopra

‎08-13-2007 10:31 PM

Hi,

Is there any way to automate the authentication issue, i mean that the user will not give the credentials in an interactive way. Some thing like a service or program that answers the authentication request from the pix by using the cashed windows login information.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card