Re: Radius Authentication options on ASA or PIX

seandickson · ‎06-14-2010

I have found various articles that state completely different things about what can and cannot be done using Radius authentication on a PIX or ASA.

Can someone provide me with a definitive answer on what my options are or point me to a good whitepaper or 2?

Ideally I would like to have 2 groups of internal users 1 group would be able to VPN in and have view only access to my pix's and routers the second group would be able to vpn in and have admin rights to the pix's and routers, from what I have read this is possible.

I would like to have my admin users to have level 15 access when they login without having to enter a shared password or using their password a second time. I don't think having to enter your own password 2 times is so bad but how would I prevent veiw only users from being able to type "enable" and reenter their AD password to get admin rights.

Sean

Jatin Katyal · ‎06-14-2010

You have to enter PIX and router for radius and tacacs protocol so that VPN users can authenticate using radius protocol and via tacacs we can avail command authorization feature.

Use the below listed document for creating two command set under shared profile component, one for admin rights and other for read-only access.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo

After that turn on the command authorization on the PIX and router (mentioned at the below of the document). Make sure you have backdoor entry via local user account.

Once you have command set there, then go to each group and select the command set under tacacs+ settings ( pls refer the doc)

Also, there is no way out to jump directly to privilege exec mode (in case oof firewall). You have to type enable password before you jump on this mode #. However, this is possible in case of IOS ---router

HTH

JK

Do rate helpful posts-

~Jatin