Sample Configuration Guide for Cisco Secure ACS and PIX Firewall - Outbound RADIUS AAA [Cisco Secure Access Control Server for Windows]

Table Of Contents

Outbound RADIUS AAA

Example Network

PIX Firewall AAA Server Configuration for Outbound RADIUS

Outbound RADIUS Authentication Configuration

PIX Firewall Configuration for Outbound RADIUS Authentication

Cisco Secure ACS Configuration for Outbound RADIUS Authentication

Outbound RADIUS Accounting Configuration

PIX Firewall Configuration for Outbound RADIUS Accounting

Cisco Secure ACS Configuration for Outbound RADIUS Accounting

Outbound RADIUS AAA

This chapter describes how to configure outbound RADIUS AAA, that is, AAA for sessions transiting the PIXFirewall from its inside interface to its outside interface, as shown in Figure2-1. A user on any computer in the 192.168.3.0 network will be authenticated for HTTP, FTP, or Telnet requests to any computer on the outside interface of the PIXFirewall. In this example, the 192.168.3.0 network represents the engineering department and RADIUS is used to authenticate, authorize, and account for outbound sessions.

After the configuration presented in this chapter is complete, only users who have valid accounts on CiscoSecure AccessControlServer (ACS) and provide the correct username and password can access computers outside the PIXFirewall; however, no limitations are placed on which computers outside the PIXFirewall they can access. "ACLs with RADIUS" addresses the use of CiscoSecure ACS to apply ACLs on a per-user basis; however, the configuration in this chapter is required for the ACL configuration, presented later, to work correctly.

This chapter contains the following topics:

• Example Network

• PIXFirewall AAA Server Configuration for Outbound RADIUS

• Outbound RADIUS Authentication Configuration

– PIXFirewall Configuration for Outbound RADIUS Authentication

– CiscoSecure ACS Configuration for Outbound RADIUS Authentication

• Outbound RADIUS Accounting Configuration

– PIXFirewall Configuration for Outbound RADIUS Accounting

– CiscoSecure ACS Configuration for Outbound RADIUS Accounting

Example Network

Figure2-1 illustrates the network used for this example.

Figure 2-1 Example Network

PIX Firewall AAA Server Configuration for Outbound RADIUS

When AAA is used, the PIXFirewall must have a server group for each AAA protocol enabled. The aaa-server command is used both to define server groups and to add specific AAA servers to a server group. You can have up to 16 server groups on the PIXFirewall. One RADIUS server group is sufficient for this example, which uses the CiscoSecure ACS shown in Figure2-1 as its RADIUS server.

The following commands create the server group and add CiscoSecure ACS to the server group. In this example, only one CiscoSecure ACS is present in the network. Were you to use more than one CiscoSecure ACS for redundant AAA support, you could add the additional CiscoSecure ACSes to the same server group, thereby providing for failover if the first CiscoSecure ACS is unresponsive.
aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 10.1.1.12 
13ced68ebf5e820a2eacd2bbd0c91a60
The 16-character key provided for the server definition is a hexadecimal number randomly generated using an external entropy source. While PIXFirewall accepts up to 127 characters for a key, CiscoSecure ACS accepts a maximum of 32 characters for AAA client keys.

Tip For easy access to highly random numbers, visit http://www.random.org or http://www.fourmilab.ch/hotbits/.

Outbound RADIUS Authentication Configuration

This section provides the essential details for configuring outbound RADIUS authentication on the CiscoSecure ACS and PIXFirewall used in this example.

This section contains the following topics:

• PIXFirewall Configuration for Outbound RADIUS Authentication

• CiscoSecure ACS Configuration for Outbound RADIUS Authentication

PIX Firewall Configuration for Outbound RADIUS Authentication

To enable RADIUS authentication on the PIXFirewall, use the aaa authentication command.

Note Enabling RADIUS authentication automatically enables RADIUS authorization. This is because of the design of the RADIUS protocol. When you use RADIUS, you cannot separate the functions of authentication and authorization.

The following commands enable RADIUS authentication specifically for FTP, HTTP, and Telnet requests from any computer on the 192.168.3.0 network to any computer on the outside interface of the PIXFirewall. The final keyword in each command, "RADIUS", specifies the AAA server group created in PIXFirewall AAA Server Configuration for Outbound RADIUS.
aaa authentication include ftp inside 192.168.3.0 255.255.255.0 0 0 RADIUS

aaa authentication include http inside 192.168.3.0 255.255.255.0 0 0 RADIUS

aaa authentication include telnet inside 192.168.3.0 255.255.255.0 0 0 RADIUS
Cisco Secure ACS Configuration for Outbound RADIUS Authentication

Configuring CiscoSecure ACS to accept RADIUS authentication requests consists entirely of creating a AAA client entry that represents the PIXFirewall for RADIUS requests. This procedure describes how to create a AAA client entry in CiscoSecure ACS that represents the PIXFirewall in Figure2-1 and specifies RADIUS as the AAA protocol.

To configure CiscoSecure ACS to perform RADIUS authentication with the PIXFirewall, follow these steps:

Step1 Select Network Configuration .

Note If you are using Network Device Groups (NDGs), you must also click the name of the NDG that you want to add the AAA client entry to.

Step2 Under the AAA Clients table, select Add Entry .

The Add AAA Client page appears.

Step3 Configure the boxes, list, and check boxes on the Add AAA Client page as follows:

•AAA Client Hostname —The name you want to assign to the AAA client entry. This need not be the actual hostname of the PIXFirewall. It is used only as the AAA client entry name by CiscoSecure ACS. In this example, type the hostname plus the AAA protocol, pixfirewall-radius.

•AAA Client IP Address —The IP address of interface of the PIXFirewall from which CiscoSecure ACS will receive RADIUS requests. In this example, 10.1.1.1.

•Key —The same key specified on the PIXFirewall for the RADIUS server. For this example, type 13ced68ebf5e820a2eacd2bbd0c91a60.

•Authenticate Using —The AAA protocol and, in the case of RADIUS, the vendor used for communication with the AAA client. For this example, select RADIUS (Cisco IOS/PIX) .

The check boxes available on the Add AAA Client page are not used in this example.

Step4 Click Submit + Restart .

CiscoSecure ACS saves the AAA client entry and restarts its services, after which it will accept and process RADIUS requests from the PIXFirewall.

Outbound RADIUS Accounting Configuration

This section provides the essential details for configuring outbound RADIUS accounting on the CiscoSecure ACS and PIXFirewall used in this example.

This section contains the following topics:

• PIXFirewall Configuration for Outbound RADIUS Accounting

• CiscoSecure ACS Configuration for Outbound RADIUS Accounting

PIX Firewall Configuration for Outbound RADIUS Accounting

To enable RADIUS accounting of all TCP services, use the aaa accounting command. The following command causes the PIXFirewall to send RADIUS accounting packets for RADIUS-authenticated outbound sessions to the AAA server group named "RADIUS".
aaa accounting include any inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 RADIUS
Cisco Secure ACS Configuration for Outbound RADIUS Accounting

CiscoSecure ACS accepts RADIUS accounting packets from the PIXFirewall because of the AAA client entry created in CiscoSecure ACS Configuration for Outbound RADIUS Authentication. By default, RADIUS accounting is enabled in CiscoSecure ACS; however, you can specify which attributes are logged, including the few special logging attributes provided by CiscoSecure ACS.

To configure CiscoSecure ACS to perform RADIUS accounting, follow these steps:

Step1 Select System Configuration > Logging > CSV RADIUS Accounting .

Step2 Confirm that the Log to CSV RADIUS Accounting report check box is selected. If it is not selected, select it now.

Step3 In the Select Attributes To Log table, be sure that the RADIUS attributes that you want to see in the RADIUS accounting log appear in the Logged Attributes list. In addition to the standard RADIUS attributes, there are several special logging attributes provided by CiscoSecure ACS, such as Real Name, ExtDB Info, and Logged Remotely. For more information about these attributes, refer to the user guide for your CiscoSecure ACS.

Step4 (Optional) If you are using CiscoSecure ACS for Windows Server, you can specify log file management, which determines how large RADIUS account files can be, how many are retained, for how long, and where they are stored.

Note Configuring CiscoSecure ACS Appliance to log using CiscoSecure ACS Remote Agent is beyond the scope of this guide. For information, see User Guide for CiscoSecure ACS Appliance.

Tip CiscoSecure ACS also provides a means of sending accounting data to other AAA servers. This is accomplished by configuring the AAA server entry in the Network Configuration section of the HTML interface. For details, see the applicable CiscoSecure ACS user guide.

Step5 If you have made changes to RADIUS accounting configuration, click Submit .

CiscoSecure ACS saves and implements the changes you made to its RADIUS accounting configuration.

	Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
	Outbound RADIUS AAA
Sample Configuration Guide for Cisco Secure ACS and PIX Firewall Preface Overview Outbound RADIUS AAA ACLs with RADIUS PIX Firewall Command Authorization Inbound RADIUS AAA with Remote Cisco Secure ACS Administration Index	Download this chapter Outbound RADIUS AAA Table Of Contents Outbound RADIUS AAA Example Network PIX Firewall AAA Server Configuration for Outbound RADIUS Outbound RADIUS Authentication Configuration PIX Firewall Configuration for Outbound RADIUS Authentication Cisco Secure ACS Configuration for Outbound RADIUS Authentication Outbound RADIUS Accounting Configuration PIX Firewall Configuration for Outbound RADIUS Accounting Cisco Secure ACS Configuration for Outbound RADIUS Accounting Outbound RADIUS AAA This chapter describes how to configure outbound RADIUS AAA, that is, AAA for sessions transiting the PIXFirewall from its inside interface to its outside interface, as shown in Figure2-1. A user on any computer in the 192.168.3.0 network will be authenticated for HTTP, FTP, or Telnet requests to any computer on the outside interface of the PIXFirewall. In this example, the 192.168.3.0 network represents the engineering department and RADIUS is used to authenticate, authorize, and account for outbound sessions. After the configuration presented in this chapter is complete, only users who have valid accounts on CiscoSecure AccessControlServer (ACS) and provide the correct username and password can access computers outside the PIXFirewall; however, no limitations are placed on which computers outside the PIXFirewall they can access. "ACLs with RADIUS" addresses the use of CiscoSecure ACS to apply ACLs on a per-user basis; however, the configuration in this chapter is required for the ACL configuration, presented later, to work correctly. This chapter contains the following topics: • Example Network • PIXFirewall AAA Server Configuration for Outbound RADIUS • Outbound RADIUS Authentication Configuration – PIXFirewall Configuration for Outbound RADIUS Authentication – CiscoSecure ACS Configuration for Outbound RADIUS Authentication • Outbound RADIUS Accounting Configuration – PIXFirewall Configuration for Outbound RADIUS Accounting – CiscoSecure ACS Configuration for Outbound RADIUS Accounting Example Network Figure2-1 illustrates the network used for this example. Figure 2-1 Example Network PIX Firewall AAA Server Configuration for Outbound RADIUS When AAA is used, the PIXFirewall must have a server group for each AAA protocol enabled. The aaa-server command is used both to define server groups and to add specific AAA servers to a server group. You can have up to 16 server groups on the PIXFirewall. One RADIUS server group is sufficient for this example, which uses the CiscoSecure ACS shown in Figure2-1 as its RADIUS server. The following commands create the server group and add CiscoSecure ACS to the server group. In this example, only one CiscoSecure ACS is present in the network. Were you to use more than one CiscoSecure ACS for redundant AAA support, you could add the additional CiscoSecure ACSes to the same server group, thereby providing for failover if the first CiscoSecure ACS is unresponsive. aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 10.1.1.12 13ced68ebf5e820a2eacd2bbd0c91a60 The 16-character key provided for the server definition is a hexadecimal number randomly generated using an external entropy source. While PIXFirewall accepts up to 127 characters for a key, CiscoSecure ACS accepts a maximum of 32 characters for AAA client keys. Tip For easy access to highly random numbers, visit http://www.random.org or http://www.fourmilab.ch/hotbits/. Outbound RADIUS Authentication Configuration This section provides the essential details for configuring outbound RADIUS authentication on the CiscoSecure ACS and PIXFirewall used in this example. This section contains the following topics: • PIXFirewall Configuration for Outbound RADIUS Authentication • CiscoSecure ACS Configuration for Outbound RADIUS Authentication PIX Firewall Configuration for Outbound RADIUS Authentication To enable RADIUS authentication on the PIXFirewall, use the aaa authentication command. Note Enabling RADIUS authentication automatically enables RADIUS authorization. This is because of the design of the RADIUS protocol. When you use RADIUS, you cannot separate the functions of authentication and authorization. The following commands enable RADIUS authentication specifically for FTP, HTTP, and Telnet requests from any computer on the 192.168.3.0 network to any computer on the outside interface of the PIXFirewall. The final keyword in each command, "RADIUS", specifies the AAA server group created in PIXFirewall AAA Server Configuration for Outbound RADIUS. aaa authentication include ftp inside 192.168.3.0 255.255.255.0 0 0 RADIUS aaa authentication include http inside 192.168.3.0 255.255.255.0 0 0 RADIUS aaa authentication include telnet inside 192.168.3.0 255.255.255.0 0 0 RADIUS Cisco Secure ACS Configuration for Outbound RADIUS Authentication Configuring CiscoSecure ACS to accept RADIUS authentication requests consists entirely of creating a AAA client entry that represents the PIXFirewall for RADIUS requests. This procedure describes how to create a AAA client entry in CiscoSecure ACS that represents the PIXFirewall in Figure2-1 and specifies RADIUS as the AAA protocol. To configure CiscoSecure ACS to perform RADIUS authentication with the PIXFirewall, follow these steps: Step1 Select Network Configuration . Note If you are using Network Device Groups (NDGs), you must also click the name of the NDG that you want to add the AAA client entry to. Step2 Under the AAA Clients table, select Add Entry . The Add AAA Client page appears. Step3 Configure the boxes, list, and check boxes on the Add AAA Client page as follows: •AAA Client Hostname —The name you want to assign to the AAA client entry. This need not be the actual hostname of the PIXFirewall. It is used only as the AAA client entry name by CiscoSecure ACS. In this example, type the hostname plus the AAA protocol, `pixfirewall-radius`. •AAA Client IP Address —The IP address of interface of the PIXFirewall from which CiscoSecure ACS will receive RADIUS requests. In this example, `10.1.1.1`. •Key —The same key specified on the PIXFirewall for the RADIUS server. For this example, type `13ced68ebf5e820a2eacd2bbd0c91a60`. •Authenticate Using —The AAA protocol and, in the case of RADIUS, the vendor used for communication with the AAA client. For this example, select RADIUS (Cisco IOS/PIX) . The check boxes available on the Add AAA Client page are not used in this example. Step4 Click Submit + Restart . CiscoSecure ACS saves the AAA client entry and restarts its services, after which it will accept and process RADIUS requests from the PIXFirewall. Outbound RADIUS Accounting Configuration This section provides the essential details for configuring outbound RADIUS accounting on the CiscoSecure ACS and PIXFirewall used in this example. This section contains the following topics: • PIXFirewall Configuration for Outbound RADIUS Accounting • CiscoSecure ACS Configuration for Outbound RADIUS Accounting PIX Firewall Configuration for Outbound RADIUS Accounting To enable RADIUS accounting of all TCP services, use the aaa accounting command. The following command causes the PIXFirewall to send RADIUS accounting packets for RADIUS-authenticated outbound sessions to the AAA server group named "RADIUS". aaa accounting include any inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 RADIUS Cisco Secure ACS Configuration for Outbound RADIUS Accounting CiscoSecure ACS accepts RADIUS accounting packets from the PIXFirewall because of the AAA client entry created in CiscoSecure ACS Configuration for Outbound RADIUS Authentication. By default, RADIUS accounting is enabled in CiscoSecure ACS; however, you can specify which attributes are logged, including the few special logging attributes provided by CiscoSecure ACS. To configure CiscoSecure ACS to perform RADIUS accounting, follow these steps: Step1 Select System Configuration > Logging > CSV RADIUS Accounting . Step2 Confirm that the Log to CSV RADIUS Accounting report check box is selected. If it is not selected, select it now. Step3 In the Select Attributes To Log table, be sure that the RADIUS attributes that you want to see in the RADIUS accounting log appear in the Logged Attributes list. In addition to the standard RADIUS attributes, there are several special logging attributes provided by CiscoSecure ACS, such as Real Name, ExtDB Info, and Logged Remotely. For more information about these attributes, refer to the user guide for your CiscoSecure ACS. Step4 (Optional) If you are using CiscoSecure ACS for Windows Server, you can specify log file management, which determines how large RADIUS account files can be, how many are retained, for how long, and where they are stored. Note Configuring CiscoSecure ACS Appliance to log using CiscoSecure ACS Remote Agent is beyond the scope of this guide. For information, see User Guide for CiscoSecure ACS Appliance. Tip CiscoSecure ACS also provides a means of sending accounting data to other AAA servers. This is accomplished by configuring the AAA server entry in the Network Configuration section of the HTML interface. For details, see the applicable CiscoSecure ACS user guide. Step5 If you have made changes to RADIUS accounting configuration, click Submit . CiscoSecure ACS saves and implements the changes you made to its RADIUS accounting configuration.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.