×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

AAA Authentication Exclude

Unanswered Question
Aug 16th, 2006
User Badges:

I have enabled "aaa authentication exclude" commad statement on PIX (6.3).


This excludes the Hosts for which the Firewall doesnot prompt for authentication.


What is the best way to add more lines into it.Do i have to remove all the commands and then all the old and new commands.I added one host in the list for exclution,but the PIX still prompts for username/password.

aaa authentication exclude https outside x.x.x.x 255.255.255.255 a.b.c.d 255.255.255.255 authserv

aaa authentication exclude http outside x.x.x.x 255.255.255.255 a.b.c.d 255.255.255.255 authserv

aaa authentication exclude tcp/25 1.1.1.1 255.255.255.255 192.168.25.1 255.255.255.255 authserv

aaa authentication exclude tcp/25 1.1.1.2 255.255.255.255 192.168.25.2 255.255.255.255 authserv



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mpalardy Thu, 08/17/2006 - 05:50
User Badges:
  • Bronze, 100 points or more

Replace tcp/25 with tcp/0.


Please review the tcp port. The pix does not support tcp/25 (smtp) specified in your config.


The tcp/0 option enables authentication for all TCP traffic, which includes FTP, HTTP, HTTPS, and Telnet. When a specific port is specified, only the traffic with a matching destination port is included or excluded for authentication. Note that FTP, Telnet, HTTP, and HTTPS are equivalent to tcp/21, tcp/23, tcp/80, and tcp/443, respectively.


http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#wp1111727


Mike

mustafa_nbk Wed, 09/06/2006 - 00:04
User Badges:

Hi,

Use aaa authentication match "ACL"

In this match mathod you can deny all the traffic which you doen't require to authenticate. This is more controlable mathod.


Thanks,

Mustafa

Actions

This Discussion