Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1624
Views
0
Helpful
1
Replies

Radius authentication and access-lists (PIX 515)

katk
Level 1
Level 1

‎10-03-2002 06:54 AM - edited ‎02-21-2020 10:04 AM

We have Pix 515E firewall configured to use RADIUS authentication.

We need to be able to exclude one website from being authenticated. This website access is only allowed from one trusted source address (see access list below).

We use access group to allow access from outside to inside interface.

Then we use the same access group to enable RADIUS authentication.

Here is our PIX configuration (I have replaced real IP numbers with fake ones).

***Cisco Pix configuration****

access-list acl_outside permit tcp any host 10.0.0.5 eq www

access-list acl_outside permit tcp any host 10.0.0.6 eq www

access-list acl_outside permit tcp any host 10.0.0.7 eq www

access-list acl_outside permit tcp any host 10.0.0.8 eq www

access-list acl_outside permit tcp host 192.168.0.10 gt 1023 host 10.0.0.9 eq www

access-group acl_outside in interface outside

aaa-server RADIUS protocol radius

aaa authentication match acl_oustside outside RADIUS

****End***********************

We need to be able to exclude this source address from being authenticated:

access-list acl_outside permit tcp host 10.10.10.10 gt 1023 host 10.0.0.9 http

We tried using two separate access groups: one for the outside interface and another one for Radius authentication, but we could not make it work.

I found some examples on how to accomplish this with exclude command, but we don't want to use include command for Radius authentication. Can we use exclude command without include?

I appreciate any suggestions regarding this question.

Labels:
0 Helpful
1 Reply 1

s-doyle
Level 3
Level 3

‎10-09-2002 01:54 PM

I'd need to look at your debugs to be sure but it looks correct as entered. Try re-entering the access list with access-list acl_outside permit tcp host 192.168.0.10 gt 1023 host 10.0.0.9 eq www listed first. Maybe the PIX is never getting to this line if it finds a match higher up.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents