Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1435
Views
0
Helpful
3
Replies

PIX 515-R and Microsoft IAS (but not necessarily)

robert.bruce
Level 1
Level 1

‎11-06-2001 07:39 AM - edited ‎02-20-2020 09:53 PM

We are replacing our current Guardian firewalls with Cisco Pix firewalls and I am having a hard time coming up with a strategy that works for us.

What we do currently is define access by machine name. This way, a PC can be allocated a dynamic address yet still get the proper access. If necessary, this would be my fallback method of working.

We would like to move to a system where access to the internet is controlled according to the username as logged into Active Directory. The admins can get lots of access reagrdless of which terminal they are on but the data monkeys' can be more controlled.

I have looked at IAS for a solution but it is very much geared to providing access to the neetwork by remote users - we need to do it the other way yound.

We also need to control access on numerous protocols, I am not just talking web access. I might want to let some people watch streamed cricket or play halflife but not everybody.

Inbound access is only going to be to specific machines with static addresses and is not too complicated. It would be nice to have "groups" of

access rather than specify individual protocols for each user or machine but thay may not be possible.

Any help, pointers, books will be great as I am swimming out of my depth on this one.

Thanks

- Rob

0 Helpful
3 Replies 3

msitzman
Cisco Employee
Cisco Employee

‎11-13-2001 04:40 PM

Looks like you need to do RADIUS authentication from the PIX for the outbound connections. You can pick whatever RADIUS server you like although CiscoSecure ACS NT and Micrsoft IAS work well. Either will allow you to leverage your existing NT user base. You will have the felxibility to group your users and even provide access restrictions by apply per-user acls from the RADIUS server.

Look at the Security Tech Tips on CCO for more information on configuring the PIX for this authentication.

http://www.cisco.com/warp/customer/707/index.shtml#pix

0 Helpful

lisa.hall
Level 2
Level 2

‎11-15-2001 07:03 AM

You need to use Cisco Secure ACS and configure Authentication and Authorization on the PIX.

0 Helpful

robert.bruce
Level 1
Level 1
In response to lisa.hall

‎11-15-2001 07:16 AM

Is that available for less than £4000?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card