topic Re: AAA control for inside network in Network Access Control

AAA control for inside network

j.joe — Fri, 21 Feb 2020 17:57:06 GMT

I knew that AAA can be easily set to control VPN connection from outsite. How about controlling traffic from inside to outside?

Re: AAA control for inside network

mmellet — Thu, 21 Jun 2001 19:16:49 GMT

Most firewalls support outbound authentication with AAA. We use the PIX and Cisco Secure ACS for outbound authentication. Works well. It might be a little trickier with controlling outbound VPN since the PIX doesn’t have anyway to proxy the authentication for that but you can use http, ftp or telnet to authenticate the user first, then open the VPN ports/protocols.

Re: AAA control for inside network

j.joe — Fri, 22 Jun 2001 17:46:24 GMT

As your message mentioned, PIX support outbound authentication with AAA. Should it be done to all outbound traffic including VPN outbound?

BTW, can PIX support outbound authentication with Microsoft Radius? Must user authenticate on screen instead of passing workstations' login information when outbound connection is going to make?

Re: AAA control for inside network

mmellet — Mon, 25 Jun 2001 19:44:48 GMT

If you want to authenticate outbound VPN on the PIX then you’ll have to authenticate everything outbound and use http, telnet or ftp to authenticate your outbound traffic. Once authenticated, all ports and protocols will open and the user can setup and use VPN. You can build AAA exception statements for specific hosts like mail servers and/or administrators. I’m not familiar with Microsoft’s RADIUS but I would guess it’s standard RADIUS, which is supported by the PIX. You might look at Cisco Secure ACS. It integrates with the Microsoft domain authentication database smoothly.