https://community.cisco.com/t5/wireless/dynamically-assigning-firewall-rules-with-radius/m-p/759571#M220656 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>These ACL's are user specific, so as soon as user logs off or disconnects the connection, the ACL's are removed dynamically, so now next time whenever user tries to access the service again, he will need to authenticate and ACL's will be downloaded fresh.</P><P></P><P>Regards</P><P>Rohit</P></BODY></HTML> Fri, 27 Jul 2007 16:09:36 GMT rochopra 2007-07-27T16:09:36Z https://community.cisco.com/t5/wireless/dynamically-assigning-firewall-rules-with-radius/m-p/759568#M220653 <P>Hi, </P><P>I would like to controll traffic from LAN to outside using PIX-FW and Radius. I have found these links which describes the method of controlling access using Radius attributes mapped to users or Groups in Active Directory. What i understood is that the user should be first authenticated through HTTP,FTP or Telnet and then the username sent in the Authentication Process will be used to map the accesslist configured on the PIX.</P><P>Question1:</P><P>Is that correct, the user should authenticate first through HTTP,FTP or TELNT ?</P><P>Question2:</P><P>Ist there any way to use the credentials that user have used to login to the Client during the login process(Windows Clients).</P><P><A class="jive-link-custom" href="http://www.giac.org/certified_professionals/practicals/GCWN/0224.php" target="_blank">http://www.giac.org/certified_professionals/practicals/GCWN/0224.php</A></P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/pix/pix61/configuration/guide/mngacl.pdf" target="_blank">http://www.cisco.com/en/US/docs/security/pix/pix61/configuration/guide/mngacl.pdf</A></P><P></P><P></P><P>Thanks for replaying.</P> Sat, 03 Jul 2021 21:23:59 GMT https://community.cisco.com/t5/wireless/dynamically-assigning-firewall-rules-with-radius/m-p/759568#M220653 giaaaj 2021-07-03T21:23:59Z https://community.cisco.com/t5/wireless/dynamically-assigning-firewall-rules-with-radius/m-p/759569#M220654 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Ans 1. Pix provides Authentication for pass through traffic from the pix(traffic which enters on one interface and exits on another interface) and by default authenticates Http, Telnet, FTP, you can also authenticate udp and tcp traffic passing through firewall.</P><P>for any non standard port you can do authentication through virtual telnet feature available on pix.</P><P></P><P>Ans 2. You cannot use credentials cached at the time of login to windows, because pix will only prompt for authentication once to try to send some traffic outside of pix. You can enter same username password again though and tell radius to talk to AD for authentication.</P><P></P><P>Following link can be helpful for limiting access :</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd703.html#wp391230" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd703.html#wp391230</A></P><P></P><P>Hope this helps.</P><P></P><P>Regards</P><P>Rohit</P></BODY></HTML> Thu, 26 Jul 2007 22:51:45 GMT https://community.cisco.com/t5/wireless/dynamically-assigning-firewall-rules-with-radius/m-p/759569#M220654 rochopra 2007-07-26T22:51:45Z https://community.cisco.com/t5/wireless/dynamically-assigning-firewall-rules-with-radius/m-p/759570#M220655 <HTML><HEAD></HEAD><BODY><P>Hi Rohit,</P><P>Thanks for replying.</P><P>After the user login and get authenticated by the radius and the ACL is activated.</P><P>- What will happen if the user logs out. Will the pix notice that and how ? and what will habppen to the ACL. </P><P>Thanks in advance.</P></BODY></HTML> Fri, 27 Jul 2007 11:05:52 GMT https://community.cisco.com/t5/wireless/dynamically-assigning-firewall-rules-with-radius/m-p/759570#M220655 giaaaj 2007-07-27T11:05:52Z https://community.cisco.com/t5/wireless/dynamically-assigning-firewall-rules-with-radius/m-p/759571#M220656 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>These ACL's are user specific, so as soon as user logs off or disconnects the connection, the ACL's are removed dynamically, so now next time whenever user tries to access the service again, he will need to authenticate and ACL's will be downloaded fresh.</P><P></P><P>Regards</P><P>Rohit</P></BODY></HTML> Fri, 27 Jul 2007 16:09:36 GMT https://community.cisco.com/t5/wireless/dynamically-assigning-firewall-rules-with-radius/m-p/759571#M220656 rochopra 2007-07-27T16:09:36Z https://community.cisco.com/t5/wireless/dynamically-assigning-firewall-rules-with-radius/m-p/759572#M220657 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P>Is there any way to automate the authentication issue, i mean that the user will not give the credentials in an interactive way. Some thing like a service or program that answers the authentication request from the pix by using the cashed windows login information.</P></BODY></HTML> Tue, 14 Aug 2007 05:31:21 GMT https://community.cisco.com/t5/wireless/dynamically-assigning-firewall-rules-with-radius/m-p/759572#M220657 giaaaj 2007-08-14T05:31:21Z