Configuring RADIUS and TACACS+
Console Authentication
If you are configuring the PIX firewall to use RADIUS or TACACS+ to
authenticate users attempting to admission the firewall itself, aboriginal use the following
command to ascertain a accumulation for the AAA servers that the firewall will use:
aaa-server
Specify a name for the server accumulation (group_tag) and either tacacs+ or
radius as the affidavit agreement (auth_protocol).
NOTE
You can specify up to 14 AAA servers groups on a PIX firewall. The clear
aaa-server command is acclimated to abolish an AAA server group.
Then use the afterward command to ascertain specific AAA servers that will be
associated with the group:
www.syngress.com
Authentication, Authorization, and Accounting • Chapter 5 245
aaa-server
Specify the name of the accumulation (group_tag) to which the server will belong
and the name of the interface (interface) on which the server will reside. If the
interface is not specified, it is affected to be the central interface. Use the host
keyword to specify the IP abode of the AAA server. Specify the abstruse key that
will be acclimated amid the AAA applicant and the server. If the key is not specified,
the PIX will use Unencrypted approach to acquaint with the AAA server. Use
the abeyance keyword to specify the continuance that the PIX firewall waits to retry
access.The PIX will retry four times afore allotment the abutting server to attempt
authentication.The absence amount for the abeyance is 5 seconds, and the maximum
allowed is 30 seconds.You can specify a best of 16 AAA servers in a group.
To abolish a server from the configuration, use the no aaa-server command.
NOTE
By default, the PIX firewall communicates to RADIUS servers on anchorage 1645
for affidavit and anchorage 1646 for accounting. Newer RADIUS servers
may use anchorage numbers 1812 and 1813. If your server uses ports other
than 1645 and 1646, you should ascertain ports appropriately on the PIX
firewall application the aaa-server radius-authport and aaa-server radiusacctport
commands afore defining the RADIUS servers with the aaaserver
command.
Once you accept appointed AAA affidavit servers application the aaa-server
command, you can verify your agreement application the appearance aaa-server command.
The abutting footfall is to specify the AAA affidavit database that should be used
for the assorted admission methods. Use the afterward command to specify the
authentication database:
aaa affidavit [serial | accredit | telnet | ssh | http] console
The syntax is actual agnate to application bounded authentication.The group_tag parameter
identifies the AAA server accumulation to use for authentication. For example, you
can affair the afterward commands to actualize the AuthPIX server group, accredit a
TACACS+ server to it, and specify that the accumulation should be acclimated back a user
attempts to admission the PIX firewall via Telnet, SSH, and HTTP:
www.syngress.com
246 Chapter 5 • Authentication, Authorization, and Accounting
PIX1(config)# aaa-server AuthPIX agreement tacacs+
PIX1(config)# aaa-server AuthPIX (inside) host 10.5.1.20 TacacsKey
PIX1(config)# aaa affidavit telnet animate AuthPIX
PIX1(config)# aaa affidavit ssh animate AuthPIX
PIX1(config)# aaa affidavit http animate AuthPIX