AAA PIX

No, we don't have pictures of auto club members. Rather, this refers to authentication on Cisco PIX firewalls. In this segment from In part 6 of our series of excerpts from the book, Cisco Secure Internet Security Solutions, you will learn how to use commands to Authenticate, Authorize, and Accounting for users.

By Cisco Press | Posted Oct 10, 2001
Page 1 of 6
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Cisco Secure Internet Security Solutions - Chapter 4
by Andrew Mason, Mark Newcomb

Cisco Secure PIX Firewall - Part 6
Cisco Secure Internet Security Solutions - click to go to publisher's site

AAA Commands
You have enabled AAA using Terminal Access Controller Access Control System Plus (TACACS+) on your PIX for authenticating, authorizing, and accounting for users passing from the inside through the outside interface. You have also enabled TACACS+ authentication for those connecting to the PIX through the console.

The first command you need to look at is the aaa-server command. The example sets the server to TACACS+ on the inside interface with the IP address of 10.1.1.41. You are using thekey as your TACACS+ key and have set a timeout of 20 seconds. This command is also responsible for starting AAA on the PIX. The full syntax of the aaa-server command follows:

aaa-server group_tag ( interface_name) host server_ip key timeout seconds

The parameters and keywords, along with their descriptions, are displayed in Table 4-3:

CommandDescription
group_tagTACACS+ or RADIUS.
interface_name Name of the interface where the server resides.
host Keyword designating that a single host IP address follows.
server_ip The IP address of the server.
key The alphanumeric key expected at the server.
timeout Keyword designating that the parameter following is the number of seconds.
seconds The wait time in seconds that the PIX will wait after sending a request without receiving a response before another request is sent. The default time is 5 seconds. Four requests will be sent before timing out.

After starting AAA, you authenticated, authorized, and accounted for any outbound traffic. For a full description of these three processes, see Chapter 10. For the moment, it will suffice to say that when users attempt to send data outside, first they will be checked to ensure that they are who they claim to be, then a check will determine whether they are allowed to send the data outside, and then a record will be made that the users sent the data. You accomplish these three tasks in this example with the following three lines:

 aaa authentication include any outbound 0 0 0 0 TACACS+
 aaa authorization include any outbound 0 0 0 0 TACACS+
 aaa accounting include any outbound 0 0 0 0 TACACS+
The key here is the word outbound, which means packets traversing from the inside interface through the outside interface. The any in these lines refers to the type of accounting service; possible values are any, ftp, http, telnet, or protocol/port. The four zeros refer, in order, to the local address, the local mask, the foreign IP address, and the foreign mask. The final parameter determines which service should be used, RADIUS or TACACS+. It is possible to run both TACACS+ and RADIUS at the same time. To accomplish this, merely add another aaa-server command with the other service.

The aaa authentication command has another form that allows you to authenticate connections for the serial port, the Telnet ports, and the enable mode. The full syntax of this command follows:

aaa authentication [serial | enable | telnet] console group_tag

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter