Sample Configuration Guide for Cisco Secure ACS and PIX Firewall - Overview [Cisco Secure Access Control Server for Windows]

Table Of Contents

Overview

Product Versions

Example Network

Basic Configuration

PIX Firewall Basic Configuration

Cisco Secure ACS Basic Configuration

Overview

This guide presents an example network environment ( Figure 1-1) and documents Cisco Secure ACS and PIX Firewall configurations required for the following scenarios:

•Outbound and inbound RADIUS AAA

•ACLs with RADIUS, including:

–Specification of local ACLs

–ACLs using the Cisco AV pair

–Downloadable ACLs

•TACACS+ command authorization and enable password authentication

•Cisco Secure ACS administration across a PIX Firewall

With the exception of enable password authentication settings, this example configuration relies solely upon group-level permissions. In addition to minimizing the need to configure multiple user profiles, this approach also allows for the use of unknown user processing on Cisco Secure ACS. Unknown user processing depends upon group mapping configuration and external user database configuration.

Note Unknown user processing and external user database configuration are beyond the scope of this guide. For more information about these topics, see the applicable Cisco Secure ACS user guide.

This chapter contains the following topics:

• Product Versions

• Example Network

• Basic Configuration

– PIX Firewall Basic Configuration

– Cisco Secure ACS Basic Configuration

Product Versions

This guide presents sample configurations based upon PIX Firewall software version 6.3 and Cisco Secure ACS version 3.2.

Example Network

Figure 1-1 illustrates the network configuration used in this example.

Figure 1-1 Example Network

Basic Configuration

This section contains information about the basic configuration of Cisco Secure ACS and PIX Firewall, based upon the network illustrated in Figure 1-1. These basic configurations represent minimal configurations for both products before configuration for AAA support of the PIX Firewall by Cisco Secure ACS.

This section contains the following topics:

• PIX Firewall Basic Configuration

• Cisco Secure ACS Basic Configuration

PIX Firewall Basic Configuration

Figure 1-1 illustrates the network configuration used in this example. The following commands configure the PIX Firewall to operate as assumed by the sample configurations presented in this guide.
nameif ethernet0 outside security0 
nameif ethernet1 inside security100 
interface ethernet0 100basetx 
interface ethernet1 100basetx 
ip address inside 10.1.1.1 255.255.255.0 
ip address outside 209.165.201.1 255.255.255.224 
hostname pixfirewall 
nat (inside) 1 0.0.0.0 0.0.0.0 
nat (inside) 2 192.168.3.0 255.255.255.0 
global (outside) 1 209.165.201.6-209.165.201.8 netmask 255.255.255.224 
global (outside) 1 209.165.201.10 netmask 255.255.255.224 
global (outside) 2 209.165.200.225-209.165.200.254 netmask 255.255.255.224 
route outside 0 0 209.165.201.4 1 
Cisco Secure ACS Basic Configuration

This guide assumes that the Cisco Secure ACS shown in Figure 1-1 is newly installed, with no further configuration performed to it other than as required by the installation process and by the assumptions specified here, section by section of the Cisco Secure ACS HTML interface.

•User Setup—This guide assumes that basic user profiles have been created or that the Unknown User Policy, configurable in the External User Database section, has been configured to enable the creation of user profiles automatically upon the first successful authentication of each user by an external user database.

If user profiles are manually created, this guide assumes only the following for each user profile:

–The username is specified.

–The Authenticate Using list in the user profile has been configured to specify the user database that will authenticate the user.

–If the CiscoSecure user database is to authenticate the user, the user's password has been specified.

•Group Setup—Configuration required for groups is covered in the sample configurations in this guide. No basic configuration is required. For the purposes of this sample configuration, a Cisco Secure ACS group that is unused or that only has default settings associated with it is recommended.

•Network Configuration—This guide assumes that Cisco Secure ACS is installed correctly, which implies that the IP address of Cisco Secure ACS is 10.1.1.12, as shown in Figure 1-1. This means that, in the Network Configuration section of the Cisco Secure ACS HTML interface, the AAA Servers table entry for Cisco Secure ACS contains this IP address. This table entry is created automatically during installation.

All AAA client configuration is covered in the sample configurations in this guide.

•System Configuration—No basic configuration is required in this section of the HTML interface. Additional configuration in this section is covered in the sample configurations in this guide.

•Interface Configuration—No basic configuration is required in this section of the HTML interface. Additional configuration in this section is covered in the sample configurations in this guide.

•Administration Control—This guide assumes that at least one administrator account with permissions to configure all groups and all features has been created. If the Cisco Secure ACS shown in Figure 1-1 is Cisco Secure ACS Solution Engine, the default administrator has these privileges and can be used. Additional configuration in this section is covered in the sample configurations in this guide.

•External User Databases—If users are to be authenticated by one or more external user databases, this guide assumes that Cisco Secure ACS has been configured as required by the specific database.

•Reports and Activity—No configuration is possible in this section of the HTML interface; configuration of the System Configuration section that affects the Report and Activity section is covered in the sample configurations in this guide.

	Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
	Overview
Sample Configuration Guide for Cisco Secure ACS and PIX Firewall Preface Overview Outbound RADIUS AAA ACLs with RADIUS PIX Firewall Command Authorization Inbound RADIUS AAA with Remote Cisco Secure ACS Administration Index	Download this chapter Overview Table Of Contents Overview Product Versions Example Network Basic Configuration PIX Firewall Basic Configuration Cisco Secure ACS Basic Configuration Overview This guide presents an example network environment ( Figure 1-1) and documents Cisco Secure ACS and PIX Firewall configurations required for the following scenarios: •Outbound and inbound RADIUS AAA •ACLs with RADIUS, including: –Specification of local ACLs –ACLs using the Cisco AV pair –Downloadable ACLs •TACACS+ command authorization and enable password authentication •Cisco Secure ACS administration across a PIX Firewall With the exception of enable password authentication settings, this example configuration relies solely upon group-level permissions. In addition to minimizing the need to configure multiple user profiles, this approach also allows for the use of unknown user processing on Cisco Secure ACS. Unknown user processing depends upon group mapping configuration and external user database configuration. Note Unknown user processing and external user database configuration are beyond the scope of this guide. For more information about these topics, see the applicable Cisco Secure ACS user guide. This chapter contains the following topics: • Product Versions • Example Network • Basic Configuration – PIX Firewall Basic Configuration – Cisco Secure ACS Basic Configuration Product Versions This guide presents sample configurations based upon PIX Firewall software version 6.3 and Cisco Secure ACS version 3.2. Example Network Figure 1-1 illustrates the network configuration used in this example. Figure 1-1 Example Network Basic Configuration This section contains information about the basic configuration of Cisco Secure ACS and PIX Firewall, based upon the network illustrated in Figure 1-1. These basic configurations represent minimal configurations for both products before configuration for AAA support of the PIX Firewall by Cisco Secure ACS. This section contains the following topics: • PIX Firewall Basic Configuration • Cisco Secure ACS Basic Configuration PIX Firewall Basic Configuration Figure 1-1 illustrates the network configuration used in this example. The following commands configure the PIX Firewall to operate as assumed by the sample configurations presented in this guide. nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 100basetx interface ethernet1 100basetx ip address inside 10.1.1.1 255.255.255.0 ip address outside 209.165.201.1 255.255.255.224 hostname pixfirewall nat (inside) 1 0.0.0.0 0.0.0.0 nat (inside) 2 192.168.3.0 255.255.255.0 global (outside) 1 209.165.201.6-209.165.201.8 netmask 255.255.255.224 global (outside) 1 209.165.201.10 netmask 255.255.255.224 global (outside) 2 209.165.200.225-209.165.200.254 netmask 255.255.255.224 route outside 0 0 209.165.201.4 1 Cisco Secure ACS Basic Configuration This guide assumes that the Cisco Secure ACS shown in Figure 1-1 is newly installed, with no further configuration performed to it other than as required by the installation process and by the assumptions specified here, section by section of the Cisco Secure ACS HTML interface. •User Setup—This guide assumes that basic user profiles have been created or that the Unknown User Policy, configurable in the External User Database section, has been configured to enable the creation of user profiles automatically upon the first successful authentication of each user by an external user database. If user profiles are manually created, this guide assumes only the following for each user profile: –The username is specified. –The Authenticate Using list in the user profile has been configured to specify the user database that will authenticate the user. –If the CiscoSecure user database is to authenticate the user, the user's password has been specified. •Group Setup—Configuration required for groups is covered in the sample configurations in this guide. No basic configuration is required. For the purposes of this sample configuration, a Cisco Secure ACS group that is unused or that only has default settings associated with it is recommended. •Network Configuration—This guide assumes that Cisco Secure ACS is installed correctly, which implies that the IP address of Cisco Secure ACS is 10.1.1.12, as shown in Figure 1-1. This means that, in the Network Configuration section of the Cisco Secure ACS HTML interface, the AAA Servers table entry for Cisco Secure ACS contains this IP address. This table entry is created automatically during installation. All AAA client configuration is covered in the sample configurations in this guide. •System Configuration—No basic configuration is required in this section of the HTML interface. Additional configuration in this section is covered in the sample configurations in this guide. •Interface Configuration—No basic configuration is required in this section of the HTML interface. Additional configuration in this section is covered in the sample configurations in this guide. •Administration Control—This guide assumes that at least one administrator account with permissions to configure all groups and all features has been created. If the Cisco Secure ACS shown in Figure 1-1 is Cisco Secure ACS Solution Engine, the default administrator has these privileges and can be used. Additional configuration in this section is covered in the sample configurations in this guide. •External User Databases—If users are to be authenticated by one or more external user databases, this guide assumes that Cisco Secure ACS has been configured as required by the specific database. •Reports and Activity—No configuration is possible in this section of the HTML interface; configuration of the System Configuration section that affects the Report and Activity section is covered in the sample configurations in this guide.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.