Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

aaa authentication with protocol/port--please translate this command

This was originally posted in the VPN-->security section

We use Cisco VPN client v1.1 for remote access to the network. I need to make some config changes and I'm trying to understand the existing config so I don't mess up the present connectivity (I'm new to PIX).

I have the following command in my config:

aaa authentication include tcp/0 outside 172.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0 partnerauth

It appears to be a legal command, because it is in the running config. However, I cannot find anything in the docs that reference the "tcp/0" parameter. I'm presently using V6.2, upgraded from V5.2. There is an example of this given for the aaa authorization command. Also, in

http://www.cisco.com/warp/public/110/atp52.html

at "Virtual Telnet Outbound," there is an example given where protocol/port is shown.

Anyway, if I am correct in my assumption, the command given above would read, in English, "Authenticate anyone from network 192.168.1.0 that arrives on the outside interface using any TCP port, to access the network 172.1.0.0, using the partnerauth server."

What does this command really do? I doubt it is even working, because the 172.1.0.0 isn't part of the 172 class B private network we use.

To further confuse me, the example below doesn't use this command at all when configuring radius authentication.

http://www.cisco.com/warp/public/110/pixcryaaa52.shtml#setup3

If anyone can point me in the right direction I would be very grateful!!

Later . . .

dotx

3 REPLIES
Cisco Employee

Re: aaa authentication with protocol/port--please translate this

Let me make it simple for you

when you enter following command on PIX:-

aaa authentication include any outside 172.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0 partnerauth

it will translate to following when you do show run:-

aaa authentication include tcp/0 outside 172.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0 partnerauth

syntax format:-

aaa authentication|authorization|accounting include|exclude [ ]

as you can see from above that in the "SVC" field, when you define ANY originally, it replaces with tcp/0, which means "any protocol any port"

HTH

R/Yusuf

New Member

Re: aaa authentication with protocol/port--please translate this

I have read elsewhere that this command is for authenticating users ON the PIX, not for authenticating VPN clients coming in, which is what I'm interested in.

I have no need to log onto the PIX from anywhere but through the console port.

If this is so, wouldn't removing this command provide additional security by not allowing external logins?

Thanks for your replies.

-dotx

Cisco Employee

Re: aaa authentication with protocol/port--please translate this

This command is used for any traffic crossing/traversing the pix, not for users logging onto the pix.

Hope that clarifies.

R/Yusuf

107
Views
0
Helpful
3
Replies
CreatePlease login to create content