AAA control for inside network

j.joe · ‎06-15-2001

I knew that AAA can be easily set to control VPN connection from outsite. How about controlling traffic from inside to outside?

mmellet · ‎06-21-2001

Most firewalls support outbound authentication with AAA. We use the PIX and Cisco Secure ACS for outbound authentication. Works well. It might be a little trickier with controlling outbound VPN since the PIX doesn’t have anyway to proxy the authentication for that but you can use http, ftp or telnet to authenticate the user first, then open the VPN ports/protocols.

j.joe · ‎06-22-2001

As your message mentioned, PIX support outbound authentication with AAA. Should it be done to all outbound traffic including VPN outbound?

BTW, can PIX support outbound authentication with Microsoft Radius? Must user authenticate on screen instead of passing workstations' login information when outbound connection is going to make?

mmellet · ‎06-25-2001

If you want to authenticate outbound VPN on the PIX then you’ll have to authenticate everything outbound and use http, telnet or ftp to authenticate your outbound traffic. Once authenticated, all ports and protocols will open and the user can setup and use VPN. You can build AAA exception statements for specific hosts like mail servers and/or administrators. I’m not familiar with Microsoft’s RADIUS but I would guess it’s standard RADIUS, which is supported by the PIX. You might look at Cisco Secure ACS. It integrates with the Microsoft domain authentication database smoothly.