05-17-2006 07:26 AM - edited 03-10-2019 02:35 PM
All,
I just read a post labeled "ACS 4.0 Behind Firewall" and it talked about opening ports 2004 to 5000 to access the ACS server that is behind the firewall. My question is does this same port range apply if you are trying to access and authenticate to a device that is behind a firewall. When I try to access one of my devices that is behind the firewall I can't authenticate through the ACS box so I end up using the local username and password. Can anyone tell me what ports I have to open on the firewall to allow the authetication to go back to the ACS server. Thanks
Solved! Go to Solution.
05-17-2006 01:37 PM
Hi,
TACACS+ authentication service between Network devices and AAA Server is running on TCP 49. The 2004-5000 port range is only applicable if you need to access ACS Server (for management purposes) from outside/internet. In your case, if you need to access your devices behind firewall from external network, what you need is map your internal network devices with public IP, and open ddesired service port, e.g SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.
For your internal devices, you need to have appropriate AAA configuration that point to ACS (e.g TACACS+). In your ACS, set these devices as AAA Client, and configured appropriate IP, secret key and using TACACS+.
Before you test ssh access from internet/external network, test your SSH access locally. It must be successful to get AAA to authenticate your SSH connection request.
Hope this helps.
Rgds,
AK
05-17-2006 01:37 PM
Hi,
TACACS+ authentication service between Network devices and AAA Server is running on TCP 49. The 2004-5000 port range is only applicable if you need to access ACS Server (for management purposes) from outside/internet. In your case, if you need to access your devices behind firewall from external network, what you need is map your internal network devices with public IP, and open ddesired service port, e.g SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.
For your internal devices, you need to have appropriate AAA configuration that point to ACS (e.g TACACS+). In your ACS, set these devices as AAA Client, and configured appropriate IP, secret key and using TACACS+.
Before you test ssh access from internet/external network, test your SSH access locally. It must be successful to get AAA to authenticate your SSH connection request.
Hope this helps.
Rgds,
AK
05-18-2006 04:39 AM
Okay, I can get to my devices fine that sit on the other side of the firewall it's just when I try to login using the TACACS+ I get authentication failed, but if I use the local login username and password I can get into the device. So if I understand you correctly I need to open port 49 and allow SSH to go through the firewall. Correct?
05-18-2006 05:21 AM
Nevermind. You were right it is TCP port 49 I had someone in the security group sniff the session and it showed us that he was blocking TCP port 49. So thanks for the help.
05-18-2006 08:42 AM
Glad to hear your problem is now solved.
Rgds,
AK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: