authenticaion using cisco PIX 515e

pinkheart · ‎10-13-2004

hello ,

I am a small ISP ( about 500 user ) and I have cisco 515e firwall , am asking about if can I use it to controll access for the internet (all protocols not just http) in an easy way to the client , by user name or MAC address.

any idea would be helpfull

Patrick Iseli · ‎10-13-2004

Use a Opensource Radius or Tacacs Server and the integrated AAA features of the PIX Firewall:

http://www.freeradius.org/

http://directory.google.com/Top/Computers/Security/Authentication/RADIUS/Server/

Documentation Cisco:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml

sincerely

Patrick

pcomeaux · ‎10-13-2004

I have used the feature "per-user override" for access-groups and it has worked well to force people to authenticate before being allowed through the Pix.

Here's a link to the feature:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn634.htm#wp109163

*****

Per-user-override

This feature allows users to specify a new keyword per-user-override to the access-group command. When this keyword is specified, it allows the permit/deny status from the per-user access-list (downloaded via AAA authentication) that is associated to a user to override the permit/deny status from the access-group access-list.

For more information on this feature, refer to the Cisco PIX Firewall and VPN Configuration Guide. For a complete description of the command syntax for this new command, refer to the Cisco PIX Firewall Command Reference.

*****

You will also need a Radius server that supports Per-User Downloadable ACLs, which Cisco Secure ACS does a great job of doing.

Here's a link to the 90 day eval software for ACS:

https://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=10180&fid=10281