Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1579
Views
0
Helpful
3
Replies

aaa authentication with protocol/port--please translate this command

dotx
Level 1
Level 1

‎09-05-2002 06:48 AM - edited ‎02-21-2020 10:03 AM

This was originally posted in the VPN-->security section

We use Cisco VPN client v1.1 for remote access to the network. I need to make some config changes and I'm trying to understand the existing config so I don't mess up the present connectivity (I'm new to PIX).

I have the following command in my config:

aaa authentication include tcp/0 outside 172.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0 partnerauth

It appears to be a legal command, because it is in the running config. However, I cannot find anything in the docs that reference the "tcp/0" parameter. I'm presently using V6.2, upgraded from V5.2. There is an example of this given for the aaa authorization command. Also, in

http://www.cisco.com/warp/public/110/atp52.html

at "Virtual Telnet Outbound," there is an example given where protocol/port is shown.

Anyway, if I am correct in my assumption, the command given above would read, in English, "Authenticate anyone from network 192.168.1.0 that arrives on the outside interface using any TCP port, to access the network 172.1.0.0, using the partnerauth server."

What does this command really do? I doubt it is even working, because the 172.1.0.0 isn't part of the 172 class B private network we use.

To further confuse me, the example below doesn't use this command at all when configuring radius authentication.

http://www.cisco.com/warp/public/110/pixcryaaa52.shtml#setup3

If anyone can point me in the right direction I would be very grateful!!

Later . . .

dotx

Labels:
0 Helpful
3 Replies 3

yusuff
Cisco Employee
Cisco Employee

‎09-06-2002 01:22 AM

Let me make it simple for you

when you enter following command on PIX:-

aaa authentication include any outside 172.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0 partnerauth

it will translate to following when you do show run:-

aaa authentication include tcp/0 outside 172.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0 partnerauth

syntax format:-

aaa authentication|authorization|accounting include|exclude [ ]

as you can see from above that in the "SVC" field, when you define ANY originally, it replaces with tcp/0, which means "any protocol any port"

HTH

R/Yusuf

0 Helpful

dotx
Level 1
Level 1
In response to yusuff

‎09-06-2002 06:56 AM

I have read elsewhere that this command is for authenticating users ON the PIX, not for authenticating VPN clients coming in, which is what I'm interested in.

I have no need to log onto the PIX from anywhere but through the console port.

If this is so, wouldn't removing this command provide additional security by not allowing external logins?

Thanks for your replies.

-dotx

0 Helpful

yusuff
Cisco Employee
Cisco Employee
In response to dotx

‎09-07-2002 12:20 AM

This command is used for any traffic crossing/traversing the pix, not for users logging onto the pix.

Hope that clarifies.

R/Yusuf

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents