Re: PIX and AAA [7:42302]
Thanks again for the replies everyone it worked just fine Patrick Donlon wrote: > Thanks for the replies, I only want to authenticate admininistrators on the > PIX, will let you know how I get on > > Cheers > > Pat > > -- > > email me on : [EMAIL PROTECTED] > > ""nrf"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > In such a situation, authorization would be achieved by writing a bunch of > > access-lists on the Pix. Then, you designate those particular > access-lists > > within the radius server for individual users. For example, let's say you > > have a user called billclinton, and you want to restrict his access to > > certain websites. So you write an access-list that does that, and then in > > his radius profile, you "call" that access-list. > > > > This works when you are doing straight authentication through the Pix > > directly. I have never tried it through a VPN. > > > > > > ""Darren Mitchelmore"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > NRF. > > > > > > I am just about to setup a PIX 515 with the Cisco VPN client and the ias > ( > > > WIN2K RADIUS SERVER ). From my understanding the VPN client has a group > > > login then the user will be prompted for a username/password that the > > > PIX will pass to the IAS server using Radius. That will be authenticated > > > against the Win username / password database (used to be called SAM ??) > on > > > the IAS server. > > > > > > I believe that this is authentication. Not sure how authorisation is > > > achieved. How do you tie in the access-list > > > to that individual user ?? > > > > > > Is this the setup you have got going ?? > > > > > > Do you have any problems implementing it ?? > > > > > > PS - I have setup PIXs before but only with simple policies... > > > > > > Best Regards, > > > Darren M > > > > > > > > > > > > > > > > -Original Message- > > > > From: nrf [SMTP:[EMAIL PROTECTED]] > > > > Sent: Wednesday, April 24, 2002 3:57 AM > > > > To: [EMAIL PROTECTED] > > > > Subject: Re: PIX and AAA [7:42302] > > > > > > > > Well, actually, the Pix does support a very limited amount of Radius > > > > authorization. It's only for users going through the Pix, not > > > > administrators of the Pix. And the authorization 'capabilities' only > > > > allow > > > > you to invoke existing access-lists on the Pix for certain users, so, > > like > > > > I > > > > said, it's very limited. Still, the capability exists. > > > > > > > > > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/mn > > > > ga > > > > cl.htm#xtocid10 > > > > > > > > > > > > ""Georg Pauwen"" wrote in message > > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > Paul, Tim, Patrick, > > > > > > > > > > you guys are good ! You are right, I wasn4t specific enough in what > I > > > > said: > > > > > PIX does support RADIUS, but it does NOT support RADIUS > Authorization > > :) > > > > > > > > > > Regards, > > > > > > > > > > Georg > > > > > > > > > > > > > > > >From: "Paul Borghese" > > > > > >To: "Georg Pauwen" , > > > > > >Subject: Re: PIX and AAA [7:42302] > > > > > >Date: Tue, 23 Apr 2002 10:03:43 -0400 > > > > > > > > > > > >The pix does support radius. I am using it for a small client to > > > > > >authenticate PPTP connections using the Microsoft 2000 Radius > server. > > > > > > > > > > > >Paul Borghese > > > > > >- Original Message - > > > > > >From: "Georg Pauwen" > > > > > >To: > > > > > >Sent: Tuesday, April 23, 2002 7:16 AM > > > > > >Subject: RE: PIX and AAA [7:42302] > > > > > > > > > > > > > > > > > > > Hi Patrick, > > > > > > > > > > > > > > yes, aaa is fully supported on the PIX (remember, though, that > the > > > > PIX > > > > > >does > > > > > > > not support RADIUS). Follow this link for a command overview of > > aaa > > > > on > > > > > >the > > > > > > > PIX: > > > > > > > > > > > > > > > > > > > > > > > > > >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/a > > > > b. > > > > h > > > > > >tm#xtocid3 > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > Georg > > > > > _ > > > > > Chat with friends online, try MSN Messenger: > http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43143&t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and AAA [7:42302]
Thanks for the replies, I only want to authenticate admininistrators on the PIX, will let you know how I get on Cheers Pat -- email me on : [EMAIL PROTECTED] ""nrf"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > In such a situation, authorization would be achieved by writing a bunch of > access-lists on the Pix. Then, you designate those particular access-lists > within the radius server for individual users. For example, let's say you > have a user called billclinton, and you want to restrict his access to > certain websites. So you write an access-list that does that, and then in > his radius profile, you "call" that access-list. > > This works when you are doing straight authentication through the Pix > directly. I have never tried it through a VPN. > > > ""Darren Mitchelmore"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > NRF. > > > > I am just about to setup a PIX 515 with the Cisco VPN client and the ias ( > > WIN2K RADIUS SERVER ). From my understanding the VPN client has a group > > login then the user will be prompted for a username/password that the > > PIX will pass to the IAS server using Radius. That will be authenticated > > against the Win username / password database (used to be called SAM ??) on > > the IAS server. > > > > I believe that this is authentication. Not sure how authorisation is > > achieved. How do you tie in the access-list > > to that individual user ?? > > > > Is this the setup you have got going ?? > > > > Do you have any problems implementing it ?? > > > > PS - I have setup PIXs before but only with simple policies... > > > > Best Regards, > > Darren M > > > > > > > > > > > -Original Message- > > > From: nrf [SMTP:[EMAIL PROTECTED]] > > > Sent: Wednesday, April 24, 2002 3:57 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: PIX and AAA [7:42302] > > > > > > Well, actually, the Pix does support a very limited amount of Radius > > > authorization. It's only for users going through the Pix, not > > > administrators of the Pix. And the authorization 'capabilities' only > > > allow > > > you to invoke existing access-lists on the Pix for certain users, so, > like > > > I > > > said, it's very limited. Still, the capability exists. > > > > > > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/mn > > > ga > > > cl.htm#xtocid10 > > > > > > > > > ""Georg Pauwen"" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Paul, Tim, Patrick, > > > > > > > > you guys are good ! You are right, I wasn4t specific enough in what I > > > said: > > > > PIX does support RADIUS, but it does NOT support RADIUS Authorization > :) > > > > > > > > Regards, > > > > > > > > Georg > > > > > > > > > > > > >From: "Paul Borghese" > > > > >To: "Georg Pauwen" , > > > > >Subject: Re: PIX and AAA [7:42302] > > > > >Date: Tue, 23 Apr 2002 10:03:43 -0400 > > > > > > > > > >The pix does support radius. I am using it for a small client to > > > > >authenticate PPTP connections using the Microsoft 2000 Radius server. > > > > > > > > > >Paul Borghese > > > > >- Original Message - > > > > >From: "Georg Pauwen" > > > > >To: > > > > >Sent: Tuesday, April 23, 2002 7:16 AM > > > > >Subject: RE: PIX and AAA [7:42302] > > > > > > > > > > > > > > > > Hi Patrick, > > > > > > > > > > > > yes, aaa is fully supported on the PIX (remember, though, that the > > > PIX > > > > >does > > > > > > not support RADIUS). Follow this link for a command overview of > aaa > > > on > > > > >the > > > > > > PIX: > > > > > > > > > > > > > > > > > > > > >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/a > > > b. > > > h > > > > >tm#xtocid3 > > > > > > > > > > > > Regards, > > > > > > > > > > > > Georg > > > > _ > > > > Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42417&t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and AAA [7:42302]
In such a situation, authorization would be achieved by writing a bunch of access-lists on the Pix. Then, you designate those particular access-lists within the radius server for individual users. For example, let's say you have a user called billclinton, and you want to restrict his access to certain websites. So you write an access-list that does that, and then in his radius profile, you "call" that access-list. This works when you are doing straight authentication through the Pix directly. I have never tried it through a VPN. ""Darren Mitchelmore"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > NRF. > > I am just about to setup a PIX 515 with the Cisco VPN client and the ias ( > WIN2K RADIUS SERVER ). From my understanding the VPN client has a group > login then the user will be prompted for a username/password that the > PIX will pass to the IAS server using Radius. That will be authenticated > against the Win username / password database (used to be called SAM ??) on > the IAS server. > > I believe that this is authentication. Not sure how authorisation is > achieved. How do you tie in the access-list > to that individual user ?? > > Is this the setup you have got going ?? > > Do you have any problems implementing it ?? > > PS - I have setup PIXs before but only with simple policies... > > Best Regards, > Darren M > > > > > > -Original Message- > > From: nrf [SMTP:[EMAIL PROTECTED]] > > Sent: Wednesday, April 24, 2002 3:57 AM > > To: [EMAIL PROTECTED] > > Subject: Re: PIX and AAA [7:42302] > > > > Well, actually, the Pix does support a very limited amount of Radius > > authorization. It's only for users going through the Pix, not > > administrators of the Pix. And the authorization 'capabilities' only > > allow > > you to invoke existing access-lists on the Pix for certain users, so, like > > I > > said, it's very limited. Still, the capability exists. > > > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/mn > > ga > > cl.htm#xtocid10 > > > > > > ""Georg Pauwen"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Paul, Tim, Patrick, > > > > > > you guys are good ! You are right, I wasn4t specific enough in what I > > said: > > > PIX does support RADIUS, but it does NOT support RADIUS Authorization :) > > > > > > Regards, > > > > > > Georg > > > > > > > > > >From: "Paul Borghese" > > > >To: "Georg Pauwen" , > > > >Subject: Re: PIX and AAA [7:42302] > > > >Date: Tue, 23 Apr 2002 10:03:43 -0400 > > > > > > > >The pix does support radius. I am using it for a small client to > > > >authenticate PPTP connections using the Microsoft 2000 Radius server. > > > > > > > >Paul Borghese > > > >- Original Message - > > > >From: "Georg Pauwen" > > > >To: > > > >Sent: Tuesday, April 23, 2002 7:16 AM > > > >Subject: RE: PIX and AAA [7:42302] > > > > > > > > > > > > > Hi Patrick, > > > > > > > > > > yes, aaa is fully supported on the PIX (remember, though, that the > > PIX > > > >does > > > > > not support RADIUS). Follow this link for a command overview of aaa > > on > > > >the > > > > > PIX: > > > > > > > > > > > > > > > >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/a > > b. > > h > > > >tm#xtocid3 > > > > > > > > > > Regards, > > > > > > > > > > Georg > > > _ > > > Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42400&t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX and AAA [7:42302]
NRF. I am just about to setup a PIX 515 with the Cisco VPN client and the ias ( WIN2K RADIUS SERVER ). From my understanding the VPN client has a group login then the user will be prompted for a username/password that the PIX will pass to the IAS server using Radius. That will be authenticated against the Win username / password database (used to be called SAM ??) on the IAS server. I believe that this is authentication. Not sure how authorisation is achieved. How do you tie in the access-list to that individual user ?? Is this the setup you have got going ?? Do you have any problems implementing it ?? PS - I have setup PIXs before but only with simple policies... Best Regards, Darren M > -Original Message- > From: nrf [SMTP:[EMAIL PROTECTED]] > Sent: Wednesday, April 24, 2002 3:57 AM > To: [EMAIL PROTECTED] > Subject: Re: PIX and AAA [7:42302] > > Well, actually, the Pix does support a very limited amount of Radius > authorization. It's only for users going through the Pix, not > administrators of the Pix. And the authorization 'capabilities' only > allow > you to invoke existing access-lists on the Pix for certain users, so, like > I > said, it's very limited. Still, the capability exists. > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/mn > ga > cl.htm#xtocid10 > > > ""Georg Pauwen"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Paul, Tim, Patrick, > > > > you guys are good ! You are right, I wasn4t specific enough in what I > said: > > PIX does support RADIUS, but it does NOT support RADIUS Authorization :) > > > > Regards, > > > > Georg > > > > > > >From: "Paul Borghese" > > >To: "Georg Pauwen" , > > >Subject: Re: PIX and AAA [7:42302] > > >Date: Tue, 23 Apr 2002 10:03:43 -0400 > > > > > >The pix does support radius. I am using it for a small client to > > >authenticate PPTP connections using the Microsoft 2000 Radius server. > > > > > >Paul Borghese > > >- Original Message - > > >From: "Georg Pauwen" > > >To: > > >Sent: Tuesday, April 23, 2002 7:16 AM > > >Subject: RE: PIX and AAA [7:42302] > > > > > > > > > > Hi Patrick, > > > > > > > > yes, aaa is fully supported on the PIX (remember, though, that the > PIX > > >does > > > > not support RADIUS). Follow this link for a command overview of aaa > on > > >the > > > > PIX: > > > > > > > > > > > >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/a > b. > h > > >tm#xtocid3 > > > > > > > > Regards, > > > > > > > > Georg > > _ > > Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42395&t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and AAA [7:42302]
Well, actually, the Pix does support a very limited amount of Radius authorization. It's only for users going through the Pix, not administrators of the Pix. And the authorization 'capabilities' only allow you to invoke existing access-lists on the Pix for certain users, so, like I said, it's very limited. Still, the capability exists. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/mnga cl.htm#xtocid10 ""Georg Pauwen"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Paul, Tim, Patrick, > > you guys are good ! You are right, I wasn4t specific enough in what I said: > PIX does support RADIUS, but it does NOT support RADIUS Authorization :) > > Regards, > > Georg > > > >From: "Paul Borghese" > >To: "Georg Pauwen" , > >Subject: Re: PIX and AAA [7:42302] > >Date: Tue, 23 Apr 2002 10:03:43 -0400 > > > >The pix does support radius. I am using it for a small client to > >authenticate PPTP connections using the Microsoft 2000 Radius server. > > > >Paul Borghese > >- Original Message - > >From: "Georg Pauwen" > >To: > >Sent: Tuesday, April 23, 2002 7:16 AM > >Subject: RE: PIX and AAA [7:42302] > > > > > > > Hi Patrick, > > > > > > yes, aaa is fully supported on the PIX (remember, though, that the PIX > >does > > > not support RADIUS). Follow this link for a command overview of aaa on > >the > > > PIX: > > > > > > > >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab. h > >tm#xtocid3 > > > > > > Regards, > > > > > > Georg > _ > Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42346&t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and AAA [7:42302]
Paul, Tim, Patrick, you guys are good ! You are right, I wasn4t specific enough in what I said: PIX does support RADIUS, but it does NOT support RADIUS Authorization :) Regards, Georg >From: "Paul Borghese" >To: "Georg Pauwen" , >Subject: Re: PIX and AAA [7:42302] >Date: Tue, 23 Apr 2002 10:03:43 -0400 > >The pix does support radius. I am using it for a small client to >authenticate PPTP connections using the Microsoft 2000 Radius server. > >Paul Borghese >- Original Message - >From: "Georg Pauwen" >To: >Sent: Tuesday, April 23, 2002 7:16 AM >Subject: RE: PIX and AAA [7:42302] > > > > Hi Patrick, > > > > yes, aaa is fully supported on the PIX (remember, though, that the PIX >does > > not support RADIUS). Follow this link for a command overview of aaa on >the > > PIX: > > > > >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.h >tm#xtocid3 > > > > Regards, > > > > Georg _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42330&t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and AAA [7:42302]
The pix does support radius. I am using it for a small client to authenticate PPTP connections using the Microsoft 2000 Radius server. Paul Borghese - Original Message - From: "Georg Pauwen" To: Sent: Tuesday, April 23, 2002 7:16 AM Subject: RE: PIX and AAA [7:42302] > Hi Patrick, > > yes, aaa is fully supported on the PIX (remember, though, that the PIX does > not support RADIUS). Follow this link for a command overview of aaa on the > PIX: > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.h tm#xtocid3 > > Regards, > > Georg Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42320&t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX and AAA [7:42302]
Hi Patrick, yes, aaa is fully supported on the PIX (remember, though, that the PIX does not support RADIUS). Follow this link for a command overview of aaa on the PIX: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#xtocid3 Regards, Georg Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42304&t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX and AAA [7:42302]
Hi All hopefully someone can help, is it possible to use AAA to authenticate users on my PIX firewalls? Cheers Pat -- email me on : [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42302&t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
