aaa authentication

Unanswered Question
Jul 31st, 2007
User Badges:

I'm trying to set up authentication using a PIX 525 for some of our web servers. In preparation, I'm testing it on a PIX 515. For testing purposes, I'm not using a RADIUS or TACACS server.

I've implemented the following commands:

aaa-server LOCAL protocol local

access-list authlist permit tcp any any eq www

aaa authentication match authlist outside LOCAL

When these commands are used, authentication works as advertised. When I change the access-list to:

access-list authlist permit tcp any host eq www

where is a webserver, authentication does not occur. (We want to require authentication for some web servers but not others.) I've tried variations of the commmand but none has worked. The PIX just passes all traffic.

Any ideas?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rochopra Tue, 07/31/2007 - 16:20
User Badges:
  • Cisco Employee,


What if you implement access-list with public ip of web server?


if you implement same configuration on inside interface like

aaa authentication match authlist inside LOCAL


Premdeep Banga Thu, 08/02/2007 - 10:12
User Badges:
  • Gold, 750 points or more


Solution lies in, from where you are trying to access the server? and where you have applied the authentication to occur? definitely doesn't appears to be a global ip (if you are not working in a test scenario)

outside in the authentication statement means that we want authentication to happen for all the traffic coming in on Outside interface to authenticate.

Little topology detail will help.




This Discussion