Professional Documents
Culture Documents
This chapter describes how to configure outbound RADIUS AAA, that is, AAA
for sessions transiting the PIX Firewall from its inside interface to its outside
interface, as shown in Figure 2-1. A user on any computer in the 192.168.3.0
network will be authenticated for HTTP, FTP, or Telnet requests to any computer
on the outside interface of the PIX Firewall. In this example, the 192.168.3.0
network represents the engineering department and RADIUS is used to
authenticate, authorize, and account for outbound sessions.
After the configuration presented in this chapter is complete, only users who have
valid accounts on Cisco Secure Access Control Server (ACS) and provide the
correct username and password can access computers outside the PIX Firewall;
however, no limitations are placed on which computers outside the PIX Firewall
they can access. Chapter 3, “ACLs with RADIUS” addresses the use of
Cisco Secure ACS to apply ACLs on a per-user basis; however, the configuration
in this chapter is required for the ACL configuration, presented later, to work
correctly.
This chapter contains the following topics:
• Example Network, page 2-2
• PIX Firewall AAA Server Configuration for Outbound RADIUS, page 2-3
• Outbound RADIUS Authentication Configuration, page 2-3
– PIX Firewall Configuration for Outbound RADIUS Authentication,
page 2-4
– Cisco Secure ACS Configuration for Outbound RADIUS Authentication,
page 2-4
Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
OL-5644-01 2-1
Chapter 2 Outbound RADIUS AAA
Example Network
Example Network
Figure 2-1 illustrates the network used for this example.
Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
2-2 OL-5644-01
Chapter 2 Outbound RADIUS AAA
PIX Firewall AAA Server Configuration for Outbound RADIUS
The 16-character key provided for the server definition is a hexadecimal number
randomly generated using an external entropy source. While PIX Firewall accepts
up to 127 characters for a key, Cisco Secure ACS accepts a maximum of 32
characters for AAA client keys.
Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
OL-5644-01 2-3
Chapter 2 Outbound RADIUS AAA
Outbound RADIUS Authentication Configuration
Note If you are using Network Device Groups (NDGs), you must also click the
name of the NDG that you want to add the AAA client entry to.
Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
2-4 OL-5644-01
Chapter 2 Outbound RADIUS AAA
Outbound RADIUS Accounting Configuration
Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
OL-5644-01 2-5
Chapter 2 Outbound RADIUS AAA
Outbound RADIUS Accounting Configuration
Step 1 Select System Configuration > Logging > CSV RADIUS Accounting.
Step 2 Confirm that the Log to CSV RADIUS Accounting report check box is selected.
If it is not selected, select it now.
Step 3 In the Select Attributes To Log table, be sure that the RADIUS attributes that you
want to see in the RADIUS accounting log appear in the Logged Attributes list.
In addition to the standard RADIUS attributes, there are several special logging
attributes provided by Cisco Secure ACS, such as Real Name, ExtDB Info, and
Logged Remotely. For more information about these attributes, refer to the user
guide for your Cisco Secure ACS.
Step 4 (Optional) If you are using Cisco Secure ACS for Windows Server, you can
specify log file management, which determines how large RADIUS account files
can be, how many are retained, for how long, and where they are stored.
Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
2-6 OL-5644-01
Chapter 2 Outbound RADIUS AAA
Outbound RADIUS Accounting Configuration
Note Configuring Cisco Secure ACS Appliance to log using Cisco Secure ACS
Remote Agent is beyond the scope of this guide. For information, see
User Guide for Cisco Secure ACS Appliance.
Tip Cisco Secure ACS also provides a means of sending accounting data to
other AAA servers. This is accomplished by configuring the AAA server
entry in the Network Configuration section of the HTML interface. For
details, see the applicable Cisco Secure ACS user guide.
Step 5 If you have made changes to RADIUS accounting configuration, click Submit.
Cisco Secure ACS saves and implements the changes you made to its RADIUS
accounting configuration.
Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
OL-5644-01 2-7
Chapter 2 Outbound RADIUS AAA
Outbound RADIUS Accounting Configuration
Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
2-8 OL-5644-01