AAA Authentication Exclude

rpsrekhi3 · ‎08-16-2006

I have enabled "aaa authentication exclude" commad statement on PIX (6.3).

This excludes the Hosts for which the Firewall doesnot prompt for authentication.

What is the best way to add more lines into it.Do i have to remove all the commands and then all the old and new commands.I added one host in the list for exclution,but the PIX still prompts for username/password.

aaa authentication exclude https outside x.x.x.x 255.255.255.255 a.b.c.d 255.255.255.255 authserv

aaa authentication exclude http outside x.x.x.x 255.255.255.255 a.b.c.d 255.255.255.255 authserv

aaa authentication exclude tcp/25 1.1.1.1 255.255.255.255 192.168.25.1 255.255.255.255 authserv

aaa authentication exclude tcp/25 1.1.1.2 255.255.255.255 192.168.25.2 255.255.255.255 authserv

mpalardy · ‎08-17-2006

Replace tcp/25 with tcp/0.

Please review the tcp port. The pix does not support tcp/25 (smtp) specified in your config.

The tcp/0 option enables authentication for all TCP traffic, which includes FTP, HTTP, HTTPS, and Telnet. When a specific port is specified, only the traffic with a matching destination port is included or excluded for authentication. Note that FTP, Telnet, HTTP, and HTTPS are equivalent to tcp/21, tcp/23, tcp/80, and tcp/443, respectively.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#wp1111727

Mike

mustafa_nbk · ‎09-06-2006

Hi,

Use aaa authentication match "ACL"

In this match mathod you can deny all the traffic which you doen't require to authenticate. This is more controlable mathod.

Thanks,

Mustafa