Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX and FreeRADIUS

Hi,

I have a PIX 515E 6.3(5). Currently i am using the local PIX database to authenticate the Remote Access VPN users. I would now like to authenticate and authorize users with a AAA server. I already have FreeRADIUS installed and tested on my network.

Could anyone please assist me in configuring the PIX to use the FreeRADIUS for authentication and authorization.

thanks.

9 REPLIES

Re: PIX and FreeRADIUS

New Member

Re: PIX and FreeRADIUS

Thanks Prem,

I went through the document, it was good help but it only demonstrates authentication, my main concern is authorization.

Can you please provide me with details on authorization?

Thanx in advance.

New Member

Re: PIX and FreeRADIUS

Thanks Prem,

I went through the document, it was good help but it only demonstrates authentication, my main concern is authorization.

Can you please provide me with details on authorization?

Thanx in advance.

Re: PIX and FreeRADIUS

Hi,

"Authorization" available on ASA under tunnel-group is used for Remote Access VPN when we are using Certificates (correct me if I am wrong).

Otherwise if you are looking for something like downloadable ACL's etc, that works with "authentication" being specified.

Get things working with authentication first. Also, any specific requirement, as why you need authorization as well for Remote Access VPN?

Regards,

Prem

New Member

Re: PIX and FreeRADIUS

Hi Prem,

Thanx again for your reply. I have an application server that is running on a specific tcp port. Business partners and clients access that port through Site - to - Site and remote access VPN. My concerns are about the remote access VPN clients, if i am using PIX 515E 6.3(5) how can i restrict the clients to use only that specific host, hence the need for the authorization, yes, RADIUS is definitely an overkill right now for me, but it is a step in the right direction, as more and more partners and clients are required access to the application.

Correct me if i am wrong,

Thanx again,

Re: PIX and FreeRADIUS

Hi,

What you are looking for is know as Downloadable IP ACLs, you do not need to configure any authorization command on the device. You simply need authentication, when a remote Access VPN user connects with the firewall, and if we have downloadable IP acls configured, it will get downloaded for that client dynamically. And user access to the network can be governed using that.

Downloadable IP ACLs

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp696775

Try that out and let me know,

Prem

Re: PIX and FreeRADIUS

Hi,

And yes, as you are using FreeRadius server, then you would be required to use cisco av pair to get the acls downloaded on per user/group basis.

Regards,

Prem

New Member

Re: PIX and FreeRADIUS

Hi,

Thanx prem, I got it to authenticate and authorize through FreeRADIUS, but instead of using downloadable ACLs i used local ACLs configured on the PIX and it works great. The FreeRADIUS sends the name of the ACL using the "Filter-Id" attribute.

I would like to achieve this by using downloadable ACLs though, but the procedure it not really very clear, would be glad if you would shed some light on that.

Thanx again.

Re: PIX and FreeRADIUS

Hi,

Check this whole section out, it will give you ample idea on how to configure downloadable ACLs,

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/fwaaa.htm#wp1043588

Regards,

Prem

890
Views
15
Helpful
9
Replies
CreatePlease to create content