Professional Documents
Culture Documents
PIX AAA
• Authentication
• Authorization
• Accounting
• PPPoE
• Virtual Telnet
• Virtual HTTP
• TACACS+
• RADIUS
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—11-5
AAA
• Authentication
Username:
• PIX smith
Firewall:
Password: 2bon2b
• Server:
Username: alex
Password: v1v10k4
FTP
• PIX Firewall:
Username: smith@alex
Password: 2bon2b@v1v10k4
TACACS+ RADIUS
TACACS
+ Livingston Merit
Freeware
pixfirewall (config)#
pixfirewall (config)#
aaa-server group_tag (if_name) host server_ip key timeout
seconds
• Identifies the AAA server for a given group tag.
pixfirewall (config)#
pixfirewall(config)# nat
(inside) 1 10.0.0.0
255.255.255.0
pixfirewall(config)# aaa
authentication include
any outbound 0 0 MYTACACS
pixfirewall(config)# aaa
authentication exclude
any outbound 10.0.0.42
255.255.255.255 0.0.0.0
0.0.0.0 MYTACACS
pixfirewall(config)# virtual
telnet 192.168.0.5
pixfirewall(config)# aaa-server
MYTACACS protocol tacacs+
pixfirewall(config)# aaa-server
MYTACACS (inside) host
10.0.0.11 secretkey
pixfirewall(config)# aaa
authentication include any
outbound 0.0.0.0 0.0.0.0
0.0.0.0 0.0.0.0 MYTACACS The PIX Firewall passes the username
and password to the AAA server at
10.0.0.11 for authentication.
If the AAA server verifies that the
username and password are correct,
the PIX Firewall caches the user’s
authentication credentials for the
duration of the uauth timeout.
The user is able to connect to super
server on port 139 using the run
command without being required to
reauthenticate.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—11-20
Configuration of Virtual
Telnet Authentication
pixfirewall (config)#
virtual telnet ip_address
pixfirewall (config)#
pixfirewall (config)#
pixfirewall (config)#
timeout uauth hh:mm:ss [absolute|inactivity]
• Sets the time interval before users will be required to reauthenticate
– Absolute—Time interval starts at user login
– Inactivity—Time interval for inactive sessions (no traffic)
pixfirewall (config)#
auth-prompt [accept | reject | prompt] string
• Defines the prompt users see when authenticating
• Defines the message users get when they successfully or
unsuccessfully authenticate
• By default, only the username and password prompts are seen
pixfirewall (config)#
Select Deny.
Select Command.
Select Permit.
Select Deny.
Select Command.
Select Deny.
Select Command.
Select Permit.
172.26.26.50 is 7
intercepted by the PIX
Firewall.
2. Authentication request to
AAA server. 192.168.0.0
3. Authentication response 6
containing ACL name PIX 3
Firewall
from AAA server. 2
4
4. The PIX Firewall checks 5
AAA server
to see if the user’s ACL is 10.0.0.0 172.16.0.4
already present.
5. Request from the PIX 1
Firewall to the AAA server
for the user’s ACL.
6. The ACL is sent to the PIX
Firewall.
7. The HTTP request is
forwarded to 172.26.26.50 Student PC
10.0.0.11
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—11-34
Configuring Downloadable
ACLs in ACS
pixfirewall (config)#
pixfirewall (config)#
pixfirewall (config)#
pixfirewall (config)#
show aaa [authentication | authorization | accounting]
pixfirewall (config)#
show timeout uauth
pixfirewall (config)#
show virtual [http | telnet]
pixfirewall(config)#
vpdn group group_name ppp authentication PAP | CHAP | MSCHAP
• Step 2—Select an authentication method.
pixfirewall(config)#
vpdn group group_name localname username
• Step 3—Associates the username assigned by your ISP with the VPDN group.
pixfirewall(config)#
vpdn username name password pass
• Step 4—Creates a username and password pair for the PPPoE connection.
pixfirewall(config)#
pixfirewall(config)#
show vpdn session [l2tp | pptp | pppoe] [id
session_id | packets | state | window]
• Displays session information.
pixfirewall(config)#
show vpdn tunnel [l2tp | pptp | pppoe] [id
tunnel_id | packets | state | summary |
transport]
• Displays tunnel information.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—11-49
Monitoring the PPPoE Client (cont.)
pixfirewall(config)#
show vpdn pppinterface [id intf_id]
pixfirewall(config)#
show vpdn username [name]
• Displays local usernames.
pixfirewall(config)#
show vpdn group [groupname]
• Displays configured groups.
pixfirewall(config)#
show ip address if_name pppoe
• Displays detailed information about a PPPOE
connection.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—11-50
Debugging the PPPoE Client
pixfirewall(config)#
debug pppoe event | error | packet
• Enables debugging for the PPPoE client.
• Authentication is who you are, authorization is what you can do, and