Question on AAA and Pix525

iraira · ‎04-28-2004

We are considering to implement authentication & authorization on a PIX 525 inside interface for connections to external hosts.

Server is a standard Radius server.

Question is if any time a user will request a service (i.e. http or whatever) included in his group access-list, he/she will be prompted for username & password, or it will be prompted only the first time ?

ehirsel · ‎04-28-2004

The timeout uauth command is what determines how often the user has to authenticate.

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1026093 for more details about this and how the timeout parameters are related to each other.

There is a note about setting the uauth timeout to zero to disable caching, but it won't work for passive ftp nor will you users like it.

iraira · ‎04-28-2004

Thx 4 your quick reply.

I will need some help to tune configuration on PIX.

I have check for a test conf this morning with no success. For details:

inside ip is 10.75.214.1/24

outside ip is 192.168.33.58/24

radius server ip is 10.75.204.32/24 (different vlan)

Client ip 10.75.214.100/24 & default gateway 10.75.214.1

I have checked previously pings between server and firewall and 100% ok.

The following are conf params on pix for aaa

aaa-server Inbound protocol radius

aaa-server Inbound (inside) host 10.75.204.32

access-list test permit tcp any any eq www

On radius server the attibute filter_id has been set to test.

And this is all.

When trying to browse to ip 212.100.100.100 (for instance) client is never prompted for user&pass

I forgot to mention that since this is a test environment outside interface is down.

Any suggestion ??

ehirsel · ‎04-28-2004

First, make sure that the pix can connect to the Radius server using one of its interfaces, since that server is not on the same vlan as the inside or outside address. So if there is a router off of the inside inteface that connect to the radius server vlan, make sure that either rip or a static route (or ospf if running pix code 6.3) between the router and the pix are exchanging that route.

Second, you need to tell the pix when to prompt for user authentication. You need to add these commands:

aaa authentication match inside test Inbound

virtual telnet y.y.y.y

virtual http y.y.y.y where y.y.y.y is the same on both virtual commands and it is an address that is not in use on any interface.

This tells the pix when to perform user authentication and how it is done, as well as allowing the http sessions to be redirected to the pix for authen and then redirected back to the real host. See the pix v6 doc command reference on the virtual commands to get a better understanding of how they are used.

iraira · ‎04-29-2004

Yhx,

I'm checking.

2 more questions:

1st. If using radius authentication with named access-list for differeen user groups (1 access-list for each group), Is it mandatory to apply ALL teh access-list to inside interface by means of access-groups (1 per access-list)

2nd. We are assumed to allow and authenticate different services (https, http, ftp etc..) and servers, how can we manage?

Thx

ehirsel · ‎04-29-2004

You want to use the per-user override feature of the pix 6.3 code so that you do not have to allow on the inside interface all the traffic that the users will send after they authenticate. There is some reference on the pix doc about using radius to download named acls and about the per-user override feature.

If you want to authen some traffic, but not others, then you specify what traffic you want in an acl, and refer to that acl in an aaa authen match statement. This acl is not applied to any interface, nor is it need to be defined in the radius server config.