https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765552#M420483 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>And yes, as you are using FreeRadius server, then you would be required to use cisco av pair to get the acls downloaded on per user/group basis.</P><P></P><P>Regards,</P><P>Prem</P></BODY></HTML> Sun, 10 Jun 2007 18:54:08 GMT Premdeep Banga 2007-06-10T18:54:08Z https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765545#M420476 <P>Hi,</P><P>I have a PIX 515E 6.3(5). Currently i am using the local PIX database to authenticate the Remote Access VPN users. I would now like to authenticate and authorize users with a AAA server. I already have FreeRADIUS installed and tested on my network.</P><P>Could anyone please assist me in configuring the PIX to use the FreeRADIUS for authentication and authorization.</P><P>thanks. </P> Sun, 10 Mar 2019 22:12:02 GMT https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765545#M420476 owais.ahsan 2019-03-10T22:12:02Z https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765546#M420477 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Go through these two links,</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml</A></P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml</A></P><P></P><P>Above links are with IAS, but will help you understand the concept.</P><P></P><P>Regards,</P><P>Prem</P></BODY></HTML> Thu, 07 Jun 2007 11:10:08 GMT https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765546#M420477 Premdeep Banga 2007-06-07T11:10:08Z https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765547#M420478 <HTML><HEAD></HEAD><BODY><P>Thanks Prem,</P><P></P><P>I went through the document, it was good help but it only demonstrates authentication, my main concern is authorization.</P><P>Can you please provide me with details on authorization?</P><P>Thanx in advance.</P></BODY></HTML> Thu, 07 Jun 2007 11:45:21 GMT https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765547#M420478 owais.ahsan 2007-06-07T11:45:21Z https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765548#M420479 <HTML><HEAD></HEAD><BODY><P>Thanks Prem,</P><P></P><P>I went through the document, it was good help but it only demonstrates authentication, my main concern is authorization.</P><P>Can you please provide me with details on authorization?</P><P>Thanx in advance.</P></BODY></HTML> Thu, 07 Jun 2007 11:47:05 GMT https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765548#M420479 owais.ahsan 2007-06-07T11:47:05Z https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765549#M420480 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>"Authorization" available on ASA under tunnel-group is used for Remote Access VPN when we are using Certificates (correct me if I am wrong).</P><P></P><P>Otherwise if you are looking for something like downloadable ACL's etc, that works with "authentication" being specified.</P><P></P><P>Get things working with authentication first. Also, any specific requirement, as why you need authorization as well for Remote Access VPN?</P><P></P><P>Regards,</P><P>Prem</P></BODY></HTML> Thu, 07 Jun 2007 12:59:02 GMT https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765549#M420480 Premdeep Banga 2007-06-07T12:59:02Z https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765550#M420481 <HTML><HEAD></HEAD><BODY><P>Hi Prem,</P><P></P><P>Thanx again for your reply. I have an application server that is running on a specific tcp port. Business partners and clients access that port through Site - to - Site and remote access VPN. My concerns are about the remote access VPN clients, if i am using PIX 515E 6.3(5) how can i restrict the clients to use only that specific host, hence the need for the authorization, yes, RADIUS is definitely an overkill right now for me, but it is a step in the right direction, as more and more partners and clients are required access to the application.</P><P></P><P>Correct me if i am wrong,</P><P>Thanx again,</P></BODY></HTML> Sun, 10 Jun 2007 04:19:43 GMT https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765550#M420481 owais.ahsan 2007-06-10T04:19:43Z https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765551#M420482 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>What you are looking for is know as Downloadable IP ACLs, you do not need to configure any authorization command on the device. You simply need authentication, when a remote Access VPN user connects with the firewall, and if we have downloadable IP acls configured, it will get downloaded for that client dynamically. And user access to the network can be governed using that.</P><P></P><P>Downloadable IP ACLs</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp696775" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp696775</A></P><P></P><P>Try that out and let me know,</P><P>Prem</P></BODY></HTML> Sun, 10 Jun 2007 06:31:21 GMT https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765551#M420482 Premdeep Banga 2007-06-10T06:31:21Z https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765552#M420483 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>And yes, as you are using FreeRadius server, then you would be required to use cisco av pair to get the acls downloaded on per user/group basis.</P><P></P><P>Regards,</P><P>Prem</P></BODY></HTML> Sun, 10 Jun 2007 18:54:08 GMT https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765552#M420483 Premdeep Banga 2007-06-10T18:54:08Z https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765553#M420484 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanx prem, I got it to authenticate and authorize through FreeRADIUS, but instead of using downloadable ACLs i used local ACLs configured on the PIX and it works great. The FreeRADIUS sends the name of the ACL using the "Filter-Id" attribute.</P><P>I would like to achieve this by using downloadable ACLs though, but the procedure it not really very clear, would be glad if you would shed some light on that.</P><P></P><P>Thanx again.</P><P></P><P></P><P></P></BODY></HTML> Wed, 13 Jun 2007 04:50:46 GMT https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765553#M420484 owais.ahsan 2007-06-13T04:50:46Z https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765554#M420485 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Check this whole section out, it will give you ample idea on how to configure downloadable ACLs,</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/fwaaa.htm#wp1043588" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/fwaaa.htm#wp1043588</A></P><P></P><P>Regards,</P><P>Prem</P></BODY></HTML> Thu, 14 Jun 2007 04:07:21 GMT https://community.cisco.com/t5/network-access-control/pix-and-freeradius/m-p/765554#M420485 Premdeep Banga 2007-06-14T04:07:21Z