https://community.cisco.com/t5/network-access-control/aaa-server-placement-inside-or-dmz/m-p/17801#M1301 <HTML><HEAD></HEAD><BODY><P>a) OK, let's put it another way, would the designer put NT Primary Domian Controller on the DMZ? No, of course he wouldn't, because the DMZ is accessible by all, and the device holds secure information.</P><P>b) Not enough information to fully comment, but yes, but getting the pix involved in direct authentication is usually hard work. Although a simple filter rule allowing AAA traffic (tac\ radius) between the 3660 and the AAA server (which is on the internal LAN) should surfice.</P></BODY></HTML> Tue, 30 Oct 2001 00:09:39 GMT p.jacques 2001-10-30T00:09:39Z https://community.cisco.com/t5/network-access-control/aaa-server-placement-inside-or-dmz/m-p/17800#M1296 <P>Hi all,</P><P></P><P>Sorry if this is has been discussed but if it has please just point me in the right direction.</P><P></P><P>I am assisting on a RAS install using SecureID tokens using a 3660 PRI and PIX 525. The current design places the AAA server in the DMZ with the 3660 and only controlling traffic on the 3660, i.e. allowing all traffic from the 3660 to the internal network.</P><P></P><P>My issue is a) wouldn't it be more secure to place the AAA server on the inside network and b) wouldn't it be sensible to extend the AAA control to the PIX in case the 3660 is compromised.</P><P></P><P>I am about to suggest this to the designer but I would really appreciate any feedback before i go stepping on any toes.</P><P></P><P>Thanks</P><P></P><P>Ian Castleman</P> Fri, 21 Feb 2020 17:57:42 GMT https://community.cisco.com/t5/network-access-control/aaa-server-placement-inside-or-dmz/m-p/17800#M1296 castlei 2020-02-21T17:57:42Z https://community.cisco.com/t5/network-access-control/aaa-server-placement-inside-or-dmz/m-p/17801#M1301 <HTML><HEAD></HEAD><BODY><P>a) OK, let's put it another way, would the designer put NT Primary Domian Controller on the DMZ? No, of course he wouldn't, because the DMZ is accessible by all, and the device holds secure information.</P><P>b) Not enough information to fully comment, but yes, but getting the pix involved in direct authentication is usually hard work. Although a simple filter rule allowing AAA traffic (tac\ radius) between the 3660 and the AAA server (which is on the internal LAN) should surfice.</P></BODY></HTML> Tue, 30 Oct 2001 00:09:39 GMT https://community.cisco.com/t5/network-access-control/aaa-server-placement-inside-or-dmz/m-p/17801#M1301 p.jacques 2001-10-30T00:09:39Z https://community.cisco.com/t5/network-access-control/aaa-server-placement-inside-or-dmz/m-p/17802#M1304 <HTML><HEAD></HEAD><BODY><P>WEll the suggested approach is a quite meaningfull one, you might face problems when you are extending the AAA capabiliteies to further do direct authentication for the PIX.</P></BODY></HTML> Tue, 30 Oct 2001 09:38:46 GMT https://community.cisco.com/t5/network-access-control/aaa-server-placement-inside-or-dmz/m-p/17802#M1304 vipin 2001-10-30T09:38:46Z