Re: PIX cut-through proxy

stuart.christie · ‎11-25-2004

Hi,

Can I configure the PIX cut-through proxy feature to authenticate using a local user database and have different access-lists for each user - all defined on the PIX rather than in a RADIUS server? If so, what commands shoudl I use?

Thanks

Stuart

owillins · ‎12-01-2004

You should be able to do this with the PIX downloadable access-lists and xauth. Here is the configuration document that might help.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278e.html#wp1030990

Patrick Iseli · ‎12-01-2004

NO you cannot do this with local the local user DB, on provided link is clearly mentioned that: Downloadable ACLs are only supported with RADIUS servers and not with TACACS+ servers.

This is because this is an AUTHORIZATION command and local users are just an AUTHENTICATION.

The only way to do this is with a Radius Server.

sincerely

Patrick

stuart.christie · ‎12-02-2004

I thought that might be the case. Thanks for the help.

Stuart

Patrick Iseli · ‎12-02-2004

Stuart,

there are many open source and even a Windows Radius server available, you do not need to use the Cisco ACS even if it this is a good and flexible application.

Overview:

http://dmoz.org/Computers/Security/Authentication/RADIUS/Server/

Windows IAS Service:

http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/ias.asp

http://www.microsoft.com/windows2000/techinfo/administration/radius.asp

Linux Radius OpenSource:

http://www.freeradius.org/

sincerely

Patrick