Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Firewall/RADIUS/LDAP

Hi,

Someone please help me with ip authentication proxy.

In the firewall, there is two acls. One is for authentication and one is for access. When you try to access a system behind the firewall, you are required to enter username and password for authentication if you are permit in the authentication acl. The firewall then query RADIUS servers. The RADIUS server then query LDAP servers to verify username and password. My question is what information is returned to the RADIUS server if the username and password are valid and invalid? What information is returned to the Firewall?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Firewall/RADIUS/LDAP

Hi,

Yes you are correct.

Regards,

Vivek

7 REPLIES
Cisco Employee

Re: Firewall/RADIUS/LDAP

Hi,

ACS gets authentication status (pass or fail) and group mapping from LDAP.

ACS then return Access Accept/Reject and any attributes you would have configured on the user profile/group profile to the Firewall.

Regards,

Vivek

New Member

Re: Firewall/RADIUS/LDAP

Thanks. If the Radius returns access-accept and attributes to the firewall? Are these attributes dynamically added to the access acl? How are these attributes return to the firewall specifically? The firewall has two acls. One for controlling authentication and one for controlling access.

Cisco Employee

Re: Firewall/RADIUS/LDAP

Hi,

If you have defined a downloadable ACL on the Radius server then it will be pushed to the firewall and will get added to the "access" acl.

When the uauth expires/gets cleared the dynamic acl entry will be removed.

The attributes are push as AV Pairs the Access-Accept Radius packet.

Downloadable ACLs are not the only attributes you can push. There are many such as timeout etc.

Try debug radius on the firewall to see the AV pairs.

Regards,

Vivek

New Member

Re: Firewall/RADIUS/LDAP

Hi Vivek,

If I don't define any downloadable ACL on the Radius server, only authentication only attributes, will source ip, destination ip, and traffic types checked against my "access= list 105" acl? Or bypass the "access" acl if I am authenticated and check against the "access" acl if I am not authenticated. Help me clear out this concept.

Thanks.

Some main configuration:

ip auth-proxy name NAME http list 120

interface FastEthernet0/0

ip address x x

ip access-group 105 in

ip auth-proxy NAME

ip http server

ip http authentication aaa

Cisco Employee

Re: Firewall/RADIUS/LDAP

Hi,

After authentication the traffic will be checked against ACL 105. It iwll not bypass it.

Even when you have downloadble ACLs, they get appended to the access acl.

Regards,

Vivek

New Member

Re: Firewall/RADIUS/LDAP

Thanks.

So it is possible to define a profile in the Radius Server to query LDAP server for authentication only (access-accept with session timeout) and uses "access list 105" to control source ip, dest ip, and traffic type?

Cisco Employee

Re: Firewall/RADIUS/LDAP

Hi,

Yes you are correct.

Regards,

Vivek

394
Views
15
Helpful
7
Replies
CreatePlease to create content