No, we don't have pictures of auto club members. Rather, this refers to authentication on Cisco PIX firewalls. In this segment from In part 6 of our series of excerpts from the book, Cisco Secure Internet Security Solutions, you will learn how to use commands to Authenticate, Authorize, and Accounting for users.
Cisco Secure Internet Security Solutions - Chapter 4
by Andrew Mason, Mark Newcomb
You have enabled AAA using Terminal Access Controller Access Control System Plus (TACACS+) on your PIX for authenticating, authorizing, and accounting for users passing from the inside through the outside interface. You have also enabled TACACS+ authentication for those connecting to the PIX through the console.
The first command you need to look at is the aaa-server command. The example sets the server to TACACS+ on the inside interface with the IP address of 10.1.1.41. You are using thekey as your TACACS+ key and have set a timeout of 20 seconds. This command is also responsible for starting AAA on the PIX. The full syntax of the aaa-server command follows:
aaa-server group_tag ( interface_name) host server_ip key timeout seconds
The parameters and keywords, along with their descriptions, are displayed in Table 4-3:
|group_tag||TACACS+ or RADIUS.|
|interface_name||Name of the interface where the server resides.|
|host||Keyword designating that a single host IP address follows.|
|server_ip||The IP address of the server.|
|key||The alphanumeric key expected at the server.|
|timeout||Keyword designating that the parameter following is the number of seconds.|
|seconds||The wait time in seconds that the PIX will wait after sending a request without receiving a response before another request is sent. The default time is 5 seconds. Four requests will be sent before timing out.|
After starting AAA, you authenticated, authorized, and accounted for any outbound traffic. For a full description of these three processes, see Chapter 10. For the moment, it will suffice to say that when users attempt to send data outside, first they will be checked to ensure that they are who they claim to be, then a check will determine whether they are allowed to send the data outside, and then a record will be made that the users sent the data. You accomplish these three tasks in this example with the following three lines:
aaa authentication include any outbound 0 0 0 0 TACACS+ aaa authorization include any outbound 0 0 0 0 TACACS+ aaa accounting include any outbound 0 0 0 0 TACACS+The key here is the word outbound, which means packets traversing from the inside interface through the outside interface. The any in these lines refers to the type of accounting service; possible values are any, ftp, http, telnet, or protocol/port. The four zeros refer, in order, to the local address, the local mask, the foreign IP address, and the foreign mask. The final parameter determines which service should be used, RADIUS or TACACS+. It is possible to run both TACACS+ and RADIUS at the same time. To accomplish this, merely add another aaa-server command with the other service.
The aaa authentication command has another form that allows you to authenticate connections for the serial port, the Telnet ports, and the enable mode. The full syntax of this command follows:
aaa authentication [serial | enable | telnet] console group_tag