Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Setting up AAA server for authentication and audit

We are using PIX 515-UR. We have set up static routes to the high security network and are able to connect to specific servers on the inside.

We are now looking at setting the AAA options. Never tried one setup, could anybody indicate the minimum requirement for the AAA server setup.

Trying to read the guide, very difficult to setup.

Please suggest.

Thanks

1 REPLY
New Member

Re: Setting up AAA server for authentication and audit

You're not kidding about some of those guides being difficult to follow. Here is an example of a very simple standard integration of PIX and AAA, so that all incoming and outgoing connections will require authentication. But keep in mind that there must first be a path through the PIX for this traffic, whether using conduits or access lists to allow it through. Once it can get through, THEN we can require authentication for it.

aaa-server MyServer1 protocol tacacs+

aaa-server MyServer2 protocol radius

aaa-server MyServer1 (inside) host 192.168.1.1 thisismykey timeout 5

aaa-server MyServer2 (inside) host 192.168.1.2 thisismyotherkey timeout 5

aaa authentication include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MyServer1

aaa authentication include any inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MyServer2

timeout uauth 1:00:00 absolute uauth 0:20:00 inactivity

Those first two commands name the servers and assign their protocol. The tacacs+ server we have named "MyServer1," and the radius server we have named "MyServer2." You will most likely only use one or the other - I highly recommend tacacs+.

The next two commands define the address of these servers - (inside) means that they are connected to the inside interface. They keys are fairly obvious there, and you do not have to type the "timeout 5" in there - it will show up by default. The PIX waits 5 seconds for a reply to the authentication request.

The next two commands set up authentication, the first for connections originating from the inside, the second for connections originating from the outside. Outbound traffic authenticates to MyServer1, inbound traffic authenticates to MyServer2.

The last command defines the idle timeout. With this format, after an hour has passed, the users will be required to re-authenticate, even if the connection has not been idle. If the connection is idle, they will have to authenticate after 20 minutes.

Here is one VERY important item to remember - the only protocols that are able to bring up the authentication window are ftp, http and telnet. This means that a user MUST initiate their connection through the PIX with one of these three in order for it to work. If they try to start with another protocol, even https, the authentication window will not pop up and thus there is no way for the PIX to get their credentials.

Then on the AAA server, it will just need a profile listing the PIX as an authentication device, and the AAA server will identify it by the ip address lying on the closest PIX interface.

This is a very basic intro, here is a great link for more:

http://www.cisco.com/warp/customer/110/atp52.html

Good luck!

295
Views
0
Helpful
1
Replies
CreatePlease to create content