Basic Administration Radius configuration on the PIX using 6.2

sgratias · ‎03-10-2005

I am looking for a real basic Radius login configuration for the PIX running 6.2. I just want to be able to have the Radius Server (Steel-Belted) authenticate and account for administrators that access the PIX for doing changes.

Thanks for any help in this issue.

Scott

cghercoias · ‎03-10-2005

Here is how I did it in our Cisco 520 PIX firewalls:

-------------------------------------------

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 0

aaa-server RADIUS (inside) host radius_server_ip radius_secret_key timeout 5

aaa-server LOCAL protocol local

aaa authentication enable console RADIUS LOCAL

aaa authentication http console RADIUS LOCAL

aaa authentication ssh console RADIUS LOCAL

aaa authentication telnet console RADIUS LOCAL

username admin password very_secret_password encrypted privilege 15

------------------------------------------------

Of course, replace radius_server_ip with your own and radius_secret_key with a real one.

In the RADIUS server (I'm using IAS built-in in Windows 2000/2003 servers) I just defined a policy to allow only the group "Domain Admins" and added the firewall as clients with their own ip address and secret key.

Don't forget to add a username and a password, should your RADIUS server become unavailable, that will be your last resort to get in the PIX.

Catalin.

sgratias · ‎03-10-2005

Thanks looks good I will try it.