05-12-2006 10:21 AM - edited 02-21-2020 10:15 AM
We currently went from using 4 /24 networks as our NAT pools for Internet access. We just added a PAT address as the NAT pools were full, and now any FTP requires authentication even if the user is alrady authenticated. HTTP and telnet are fine. We are using RADIUS authentication with dynamic ACL's on a PIX 525 running 5.3(4). Anyone else experience this?
05-13-2006 04:50 AM
Hi .. you can try excluding FTP from triggering aaa authentication. ( Note: Your PIX version is old so I hope these commands are available )
aaa authentication exclude tcp/21 interface x.x.x.x 255.255.255.0 aaa-group
where interface is the interface from where your radius can be reached i.e inside
x.x.x.x is the IP address of your Radius server
aaa-group is the group name assigned by aaa-server command.
Or you could exclude your outbound connections from triggerring the authention by using an access-list
access-list yourlist deny ftp x.x.x.0 255.255.255.0 any
access-list yourlist permit tcp any any
aaa authentication match yourlist outbound radius
I hope it helps ... please rate it if it does !!!
05-18-2006 06:06 AM
My apologies, I missed my typo. The correct version of PIX OS is 6.3(4)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide