PIX515E: AAA using Local Database

Rejohn Cuares · ‎10-25-2007

hello cisco people! Need your help.

Below is my running configuration of my PIX515e.

Here is the network topology:

http://img145.imageshack.us/img145/5598/pix515eap6.jpg

The problem that I am trying to solve is I want that my inside users (network 192.168.1.0/24)

be authenticated every web connection they make. With this current configuration PIX firewall

prompts login every web connection but when I reboot the PIX the PIx will not be able to challenge

the user for username and password.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

PIX Version 7.0(5)

!

hostname pix515e

enable password xxx

names

dns-guard

!

interface Ethernet0

description Outside Link

duplex full

nameif outside

security-level 0

ip address 203.177.X.X 255.255.255.248

!

interface Ethernet1

description Inside Link

duplex full

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns name-server 203.177.X.X

dns name-server 203.127.X.X

access-list OUTSIDE_IN extended permit tcp any any eq 80

access-list OUTSIDE_IN extended permit tcp any any eq 53

access-list OUTSIDE_IN extended permit udp any any eq 53

access-list OUTSIDE_IN extended permit icmp any any

access-list OUTSIDE_OUT extended permit tcp any any eq 80

access-list OUTSIDE_OUT extended permit tcp any any eq 53

access-list OUTSIDE_OUT extended permit udp any any eq 53

access-list OUTSIDE_OUT extended permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

access-group OUTSIDE_IN in interface outside

access-group INSIDE_OUT out interface outside

route outside 0.0.0.0 0.0.0.0 203.177.X.X 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username ryan password sugGTcAdkAhppJ5g encrypted

aaa authentication match OUTSIDE_IN inside LOCAL

aaa local authentication attempts max-fail 5

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please rate replies and mark question as "answered" if applicable.

Rejohn Cuares · ‎10-26-2007

issue solved. :) Thank you :)

Please rate replies and mark question as "answered" if applicable.

M-Square · ‎12-10-2007

Hi, I'm wondering if you could elaborate on how you resolved your authentication issue. We are presently working on a setup similar to your description.

Cheers.

Rejohn Cuares · ‎12-11-2007

Enabling Network Access Authentication

To enable network access authentication, perform the following steps:

Step 1:

Using the access-list command, create an ACL that identifies the source addresses and destination addresses of traffic you want to authenticate.

The permit ACEs mark matching traffic for authentication, while deny entries exclude matching traffic from authentication. Be sure to include the destination ports for either HTTP, Telnet, or FTP in the ACL because the user must authenticate with one of these services before other services are allowed through the security appliance.

Step 2:

To configure authentication, enter the following command:

hostname/contexta(config)# aaa authentication match acl_name interface_name server_group_or_LOCAL

where acl_name is the name of the ACL you created in Step 1, interface_name is the name of the interface as specified with the nameif command.

- - - - - - - - - - - - - - - - - - - - - - -

(Optional) If you are using the local database for network access authentication and you want to limit the number of consecutive failed login attempts that the security appliance allows any given user account, use the aaa local authentication attempts max-fail command.

For example:

hostname/contexta(config)# aaa local authentication attempts max-fail 7

- - - - - - - - - - - - - - - - - - - - - - -

Step 3:

Create users.

hostname/contexta(config)# username insideuser password INSIDEUSER

Step 4:

Finish. You can now test your configuration.

Traffic traversing the security appliance will need authentication.

EXAMPLE Config:

hostname/contexta(config)# username user1 password password1

hostname/contexta(config)# access-list INSIDE_AUTH extended permit tcp any any eq telnet

hostname/contexta(config)# access-list INSIDE_AUTH extended permit tcp any any eq www

hostname/contexta(config)# aaa authentication match INSIDE_AUTH inside LOCAL

hostname/contexta(config)# aaa local authentication attempts max-fail 3

RATE THIS POST IF THIS IS USEFULL TO YOU.

THANK YOU!

Please rate replies and mark question as "answered" if applicable.