Re: Setting up AAA server for authentication and audit
You're not kidding about some of those guides being difficult to follow. Here is an example of a very simple standard integration of PIX and AAA, so that all incoming and outgoing connections will require authentication. But keep in mind that there must first be a path through the PIX for this traffic, whether using conduits or access lists to allow it through. Once it can get through, THEN we can require authentication for it.
Those first two commands name the servers and assign their protocol. The tacacs+ server we have named "MyServer1," and the radius server we have named "MyServer2." You will most likely only use one or the other - I highly recommend tacacs+.
The next two commands define the address of these servers - (inside) means that they are connected to the inside interface. They keys are fairly obvious there, and you do not have to type the "timeout 5" in there - it will show up by default. The PIX waits 5 seconds for a reply to the authentication request.
The next two commands set up authentication, the first for connections originating from the inside, the second for connections originating from the outside. Outbound traffic authenticates to MyServer1, inbound traffic authenticates to MyServer2.
The last command defines the idle timeout. With this format, after an hour has passed, the users will be required to re-authenticate, even if the connection has not been idle. If the connection is idle, they will have to authenticate after 20 minutes.
Here is one VERY important item to remember - the only protocols that are able to bring up the authentication window are ftp, http and telnet. This means that a user MUST initiate their connection through the PIX with one of these three in order for it to work. If they try to start with another protocol, even https, the authentication window will not pop up and thus there is no way for the PIX to get their credentials.
Then on the AAA server, it will just need a profile listing the PIX as an authentication device, and the AAA server will identify it by the ip address lying on the closest PIX interface.
This is a very basic intro, here is a great link for more:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :