C H A P T E R 2

Outbound RADIUS AAA

This chapter describes how to configure outbound RADIUS AAA, that is, AAA
for sessions transiting the PIX Firewall from its inside interface to its outside
interface, as shown in Figure 2-1. A user on any computer in the 192.168.3.0
network will be authenticated for HTTP, FTP, or Telnet requests to any computer
on the outside interface of the PIX Firewall. In this example, the 192.168.3.0
network represents the engineering department and RADIUS is used to
authenticate, authorize, and account for outbound sessions.
After the configuration presented in this chapter is complete, only users who have
valid accounts on Cisco Secure Access Control Server (ACS) and provide the
correct username and password can access computers outside the PIX Firewall;
however, no limitations are placed on which computers outside the PIX Firewall
they can access. Chapter 3, “ACLs with RADIUS” addresses the use of
Cisco Secure ACS to apply ACLs on a per-user basis; however, the configuration
in this chapter is required for the ACL configuration, presented later, to work
correctly.
This chapter contains the following topics:
• Example Network, page 2-2
• PIX Firewall AAA Server Configuration for Outbound RADIUS, page 2-3
• Outbound RADIUS Authentication Configuration, page 2-3
– PIX Firewall Configuration for Outbound RADIUS Authentication,
page 2-4
– Cisco Secure ACS Configuration for Outbound RADIUS Authentication,
page 2-4

Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
OL-5644-01 2-1
 Chapter 2 Outbound RADIUS AAA
Example Network

• Outbound RADIUS Accounting Configuration, page 2-5

– PIX Firewall Configuration for Outbound RADIUS Accounting,
page 2-6
– Cisco Secure ACS Configuration for Outbound RADIUS Accounting,
page 2-6

Example Network
Figure 2-1 illustrates the network used for this example.

Figure 2-1 Example Network

Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
2-2 OL-5644-01
 Chapter 2 Outbound RADIUS AAA
PIX Firewall AAA Server Configuration for Outbound RADIUS

PIX Firewall AAA Server Configuration for Outbound

RADIUS
When AAA is used, the PIX Firewall must have a server group for each AAA
protocol enabled. The aaa-server command is used both to define server groups
and to add specific AAA servers to a server group. You can have up to 16 server
groups on the PIX Firewall. One RADIUS server group is sufficient for this
example, which uses the Cisco Secure ACS shown in Figure 2-1 as its RADIUS
server.
The following commands create the server group and add Cisco Secure ACS to
the server group. In this example, only one Cisco Secure ACS is present in the
network. Were you to use more than one Cisco Secure ACS for redundant AAA
support, you could add the additional Cisco Secure ACSes to the same server
group, thereby providing for failover if the first Cisco Secure ACS is
unresponsive.
aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 10.1.1.12
13ced68ebf5e820a2eacd2bbd0c91a60

The 16-character key provided for the server definition is a hexadecimal number
randomly generated using an external entropy source. While PIX Firewall accepts
up to 127 characters for a key, Cisco Secure ACS accepts a maximum of 32
characters for AAA client keys.

Tip For easy access to highly random numbers, visit http://www.random.org or

http://www.fourmilab.ch/hotbits/.

Outbound RADIUS Authentication Configuration

This section provides the essential details for configuring outbound RADIUS
authentication on the Cisco Secure ACS and PIX Firewall used in this example.
This section contains the following topics:
• PIX Firewall Configuration for Outbound RADIUS Authentication, page 2-4
• Cisco Secure ACS Configuration for Outbound RADIUS Authentication,
page 2-4

Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
OL-5644-01 2-3
 Chapter 2 Outbound RADIUS AAA
Outbound RADIUS Authentication Configuration

PIX Firewall Configuration for Outbound RADIUS Authentication

To enable RADIUS authentication on the PIX Firewall, use the aaa
authentication command.

Note Enabling RADIUS authentication automatically enables RADIUS authorization.

This is because of the design of the RADIUS protocol. When you use RADIUS,
you cannot separate the functions of authentication and authorization.

The following commands enable RADIUS authentication specifically for FTP,

HTTP, and Telnet requests from any computer on the 192.168.3.0 network to any
computer on the outside interface of the PIX Firewall. The final keyword in each
command, “RADIUS”, specifies the AAA server group created in PIX Firewall
AAA Server Configuration for Outbound RADIUS, page 2-3.
aaa authentication include ftp inside 192.168.3.0 255.255.255.0 0 0 RADIUS
aaa authentication include http inside 192.168.3.0 255.255.255.0 0 0 RADIUS
aaa authentication include telnet inside 192.168.3.0 255.255.255.0 0 0 RADIUS

Cisco Secure ACS Configuration for Outbound RADIUS

Authentication
Configuring Cisco Secure ACS to accept RADIUS authentication requests
consists entirely of creating a AAA client entry that represents the PIX Firewall
for RADIUS requests. This procedure describes how to create a AAA client entry
in Cisco Secure ACS that represents the PIX Firewall in Figure 2-1 and specifies
RADIUS as the AAA protocol.
To configure Cisco Secure ACS to perform RADIUS authentication with the
PIX Firewall, follow these steps:

Step 1 Select Network Configuration.

Note If you are using Network Device Groups (NDGs), you must also click the
name of the NDG that you want to add the AAA client entry to.

Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
2-4 OL-5644-01
Chapter 2 Outbound RADIUS AAA
Outbound RADIUS Accounting Configuration

Step 2 Under the AAA Clients table, select Add Entry.

The Add AAA Client page appears.
Step 3 Configure the boxes, list, and check boxes on the Add AAA Client page as
follows:
• AAA Client Hostname—The name you want to assign to the AAA client
entry. This need not be the actual hostname of the PIX Firewall. It is used
only as the AAA client entry name by Cisco Secure ACS. In this example,
type the hostname plus the AAA protocol, pixfirewall-radius.
• AAA Client IP Address—The IP address of interface of the PIX Firewall
from which Cisco Secure ACS will receive RADIUS requests. In this
example, 10.1.1.1.
• Key—The same key specified on the PIX Firewall for the RADIUS server.
For this example, type 13ced68ebf5e820a2eacd2bbd0c91a60.
• Authenticate Using—The AAA protocol and, in the case of RADIUS, the
vendor used for communication with the AAA client. For this example, select
RADIUS (Cisco IOS/PIX).
The check boxes available on the Add AAA Client page are not used in this
example.
Step 4 Click Submit + Restart.
Cisco Secure ACS saves the AAA client entry and restarts its services, after which
it will accept and process RADIUS requests from the PIX Firewall.

Outbound RADIUS Accounting Configuration

This section provides the essential details for configuring outbound RADIUS
accounting on the Cisco Secure ACS and PIX Firewall used in this example.
This section contains the following topics:
• PIX Firewall Configuration for Outbound RADIUS Accounting, page 2-6
• Cisco Secure ACS Configuration for Outbound RADIUS Accounting,
page 2-6

Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
OL-5644-01 2-5
 Chapter 2 Outbound RADIUS AAA
Outbound RADIUS Accounting Configuration

PIX Firewall Configuration for Outbound RADIUS Accounting

To enable RADIUS accounting of all TCP services, use the aaa accounting
command. The following command causes the PIX Firewall to send RADIUS
accounting packets for RADIUS-authenticated outbound sessions to the AAA
server group named “RADIUS”.
aaa accounting include any inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 RADIUS

Cisco Secure ACS Configuration for Outbound RADIUS

Accounting
Cisco Secure ACS accepts RADIUS accounting packets from the PIX Firewall
because of the AAA client entry created in Cisco Secure ACS Configuration for
Outbound RADIUS Authentication, page 2-4. By default, RADIUS accounting is
enabled in Cisco Secure ACS; however, you can specify which attributes are
logged, including the few special logging attributes provided by Cisco Secure
ACS.
To configure Cisco Secure ACS to perform RADIUS accounting, follow these
steps:

Step 1 Select System Configuration > Logging > CSV RADIUS Accounting.
Step 2 Confirm that the Log to CSV RADIUS Accounting report check box is selected.
If it is not selected, select it now.
Step 3 In the Select Attributes To Log table, be sure that the RADIUS attributes that you
want to see in the RADIUS accounting log appear in the Logged Attributes list.
In addition to the standard RADIUS attributes, there are several special logging
attributes provided by Cisco Secure ACS, such as Real Name, ExtDB Info, and
Logged Remotely. For more information about these attributes, refer to the user
guide for your Cisco Secure ACS.
Step 4 (Optional) If you are using Cisco Secure ACS for Windows Server, you can
specify log file management, which determines how large RADIUS account files
can be, how many are retained, for how long, and where they are stored.

Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
2-6 OL-5644-01
Chapter 2 Outbound RADIUS AAA
Outbound RADIUS Accounting Configuration

Note Configuring Cisco Secure ACS Appliance to log using Cisco Secure ACS
Remote Agent is beyond the scope of this guide. For information, see
User Guide for Cisco Secure ACS Appliance.

Tip Cisco Secure ACS also provides a means of sending accounting data to
other AAA servers. This is accomplished by configuring the AAA server
entry in the Network Configuration section of the HTML interface. For
details, see the applicable Cisco Secure ACS user guide.

Step 5 If you have made changes to RADIUS accounting configuration, click Submit.
Cisco Secure ACS saves and implements the changes you made to its RADIUS
accounting configuration.

Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
OL-5644-01 2-7
 Chapter 2 Outbound RADIUS AAA
Outbound RADIUS Accounting Configuration

Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
2-8 OL-5644-01