Configuring Authentication
Now that you have the AAA server and the NAS configured to communicate with each other,
you need to configure both for user authentication. First, you need to configure the
authentication parameters on the Security Appliance Cisco Secure ACS. Seven types of
authentication are supported on the PIX Firewall:
■ TACACS+
■ RADIUS
■ LDAP
■ NT
■ SDI
■ Kerberos
■ LOCAL
NOTE The TACACS+ or RADIUS key specified on Cisco Secure ACS must exactly match
the key specified in the aaa-server command for communication between the Cisco Secure
ACS server and the NAS to be established.
546 Chapter 18: Configuration of AAA on the Cisco Security Appliance
Both TACACS+, LDAP, and RADIUS support numerous vendor-specific attributes (VSAs) or
attribute value (AV) pairs. For a list of the specific VSAs or AV pairs and their definitions, see
the User Guide for Cisco Secure ACS for Windows Version 3.3.
The aaa authentication command has three different types. The following list describes the
options and variables you find collectively within all three:
■ include—Creates a rule with a specified service.
■ exclude—Creates an exception to a previously defined rule.
■ authen-service—The service that is included or excluded. It is the application with which
the user accesses the network. The Security Appliance can authenticate only via FTP,
HTTP, and Telnet. You can configure the authen-service as “any” to allow the Security
Appliance to authenticate any of the three, but this does not allow your users to
authenticate using any protocol other than FTP, HTTP, or Telnet.
■ inbound—Specifies that the Security Appliance is to authenticate inbound traffic
(originates on the outside interface and is directed to the inside interface).
■ outbound—Specifies that the Security Appliance is to authenticate outbound traffic
(originates on the inside interface and is directed to the outside interface).
■ if-name—The interface name from which the users should be authenticated. This is
optional. By default, the user must authenticate before being allowed through the PIX
Firewall. Therefore, outbound traffic authenticates at the inside interface, and inbound
traffic authenticates at the outside interface.
■ local-ip—The host address or network segment with the highest security level. As with
the other address definitions on the Security Appliance, 0 is used to define “any.”
■ local-mask—The subnet mask that applies to the local-ip; 0 is used to define “any.”
■ foreign-ip—Defines the address space with the lowest security level. The use of 0 defines
“any.”
■ foreign-mask—The subnet mask that applies to the foreign-ip; 0 is used to define “any.”
■ group-tag—The name used for the AAA server group. The group-tag is also used in the
aaa-server, aaa authorization, and aaa accounting commands.
The following sections describe the three different formats and functions of the aaa
authentication command in greater detail.