Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AAA server placement. Inside or DMZ

Hi all,

Sorry if this is has been discussed but if it has please just point me in the right direction.

I am assisting on a RAS install using SecureID tokens using a 3660 PRI and PIX 525. The current design places the AAA server in the DMZ with the 3660 and only controlling traffic on the 3660, i.e. allowing all traffic from the 3660 to the internal network.

My issue is a) wouldn't it be more secure to place the AAA server on the inside network and b) wouldn't it be sensible to extend the AAA control to the PIX in case the 3660 is compromised.

I am about to suggest this to the designer but I would really appreciate any feedback before i go stepping on any toes.


Ian Castleman

New Member

Re: AAA server placement. Inside or DMZ

a) OK, let's put it another way, would the designer put NT Primary Domian Controller on the DMZ? No, of course he wouldn't, because the DMZ is accessible by all, and the device holds secure information.

b) Not enough information to fully comment, but yes, but getting the pix involved in direct authentication is usually hard work. Although a simple filter rule allowing AAA traffic (tac\ radius) between the 3660 and the AAA server (which is on the internal LAN) should surfice.

New Member

Re: AAA server placement. Inside or DMZ

WEll the suggested approach is a quite meaningfull one, you might face problems when you are extending the AAA capabiliteies to further do direct authentication for the PIX.