aaa authentication

noahsark · ‎07-31-2007

I'm trying to set up authentication using a PIX 525 for some of our web servers. In preparation, I'm testing it on a PIX 515. For testing purposes, I'm not using a RADIUS or TACACS server.

I've implemented the following commands:

aaa-server LOCAL protocol local

access-list authlist permit tcp any any eq www

aaa authentication match authlist outside LOCAL

When these commands are used, authentication works as advertised. When I change the access-list to:

access-list authlist permit tcp any host 192.168.1.2 eq www

where 192.168.1.2 is a webserver, authentication does not occur. (We want to require authentication for some web servers but not others.) I've tried variations of the commmand but none has worked. The PIX just passes all traffic.

Any ideas?

Noah

rochopra · ‎07-31-2007

Hi,

What if you implement access-list with public ip of web server?

Or

if you implement same configuration on inside interface like

aaa authentication match authlist inside LOCAL

~Rohit

Premdeep Banga · ‎08-02-2007

Hi,

Solution lies in, from where you are trying to access the server? and where you have applied the authentication to occur?

192.168.1.2 definitely doesn't appears to be a global ip (if you are not working in a test scenario)

outside in the authentication statement means that we want authentication to happen for all the traffic coming in on Outside interface to authenticate.

Little topology detail will help.

Regards,

Prem