08-16-2006 09:51 AM - edited 02-21-2020 10:16 AM
I have enabled "aaa authentication exclude" commad statement on PIX (6.3).
This excludes the Hosts for which the Firewall doesnot prompt for authentication.
What is the best way to add more lines into it.Do i have to remove all the commands and then all the old and new commands.I added one host in the list for exclution,but the PIX still prompts for username/password.
aaa authentication exclude https outside x.x.x.x 255.255.255.255 a.b.c.d 255.255.255.255 authserv
aaa authentication exclude http outside x.x.x.x 255.255.255.255 a.b.c.d 255.255.255.255 authserv
aaa authentication exclude tcp/25 1.1.1.1 255.255.255.255 192.168.25.1 255.255.255.255 authserv
aaa authentication exclude tcp/25 1.1.1.2 255.255.255.255 192.168.25.2 255.255.255.255 authserv
08-17-2006 05:50 AM
Replace tcp/25 with tcp/0.
Please review the tcp port. The pix does not support tcp/25 (smtp) specified in your config.
The tcp/0 option enables authentication for all TCP traffic, which includes FTP, HTTP, HTTPS, and Telnet. When a specific port is specified, only the traffic with a matching destination port is included or excluded for authentication. Note that FTP, Telnet, HTTP, and HTTPS are equivalent to tcp/21, tcp/23, tcp/80, and tcp/443, respectively.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#wp1111727
Mike
09-06-2006 12:04 AM
Hi,
Use aaa authentication match "ACL"
In this match mathod you can deny all the traffic which you doen't require to authenticate. This is more controlable mathod.
Thanks,
Mustafa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide