Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Radius authentication and access-lists (PIX 515)

We have Pix 515E firewall configured to use RADIUS authentication.

We need to be able to exclude one website from being authenticated. This website access is only allowed from one trusted source address (see access list below).

We use access group to allow access from outside to inside interface.

Then we use the same access group to enable RADIUS authentication.

Here is our PIX configuration (I have replaced real IP numbers with fake ones).

***Cisco Pix configuration****

access-list acl_outside permit tcp any host 10.0.0.5 eq www

access-list acl_outside permit tcp any host 10.0.0.6 eq www

access-list acl_outside permit tcp any host 10.0.0.7 eq www

access-list acl_outside permit tcp any host 10.0.0.8 eq www

access-list acl_outside permit tcp host 192.168.0.10 gt 1023 host 10.0.0.9 eq www

access-group acl_outside in interface outside

aaa-server RADIUS protocol radius

aaa authentication match acl_oustside outside RADIUS

****End***********************

We need to be able to exclude this source address from being authenticated:

access-list acl_outside permit tcp host 10.10.10.10 gt 1023 host 10.0.0.9 http

We tried using two separate access groups: one for the outside interface and another one for Radius authentication, but we could not make it work.

I found some examples on how to accomplish this with exclude command, but we don't want to use include command for Radius authentication. Can we use exclude command without include?

I appreciate any suggestions regarding this question.

1 REPLY
New Member

Re: Radius authentication and access-lists (PIX 515)

I'd need to look at your debugs to be sure but it looks correct as entered. Try re-entering the access list with access-list acl_outside permit tcp host 192.168.0.10 gt 1023 host 10.0.0.9 eq www listed first. Maybe the PIX is never getting to this line if it finds a match higher up.

208
Views
0
Helpful
1
Replies