Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

RADIUS authentication and access lists

Status
Not open for further replies.
katk

katk

IS-IT--Management
Oct 1, 2002
1
CA
We have Pix 515E firewall configured to use RADIUS authentication.
We need to be able to exclude one website from being authenticated. This website access is only allowed from one trusted source address (see access list below).

We use access group to allow access from outside to inside interface.
Then we use the same access group to enable RADIUS authentication.
Here is our PIX configuration (I have replaced real IP numbers with fake ones).

***Cisco Pix configuration****
access-list acl_outside permit tcp any host 10.0.0.5 eq www
access-list acl_outside permit tcp any host 10.0.0.6 eq www
access-list acl_outside permit tcp any host 10.0.0.7 eq www
access-list acl_outside permit tcp any host 10.0.0.8 eq www
access-list acl_outside permit tcp host 192.168.0.10 gt 1023 host 10.0.0.9 eq www

access-group acl_outside in interface outside

aaa-server RADIUS protocol radius

aaa authentication match acl_oustside outside RADIUS
****End***********************

We need to be able to exclude this source address from being authenticated:
access-list acl_outside permit tcp host 10.10.10.10 gt 1023 host 10.0.0.9 http

We tried using two separate access groups: one for the outside interface and another one for Radius authentication, but we could not make it work.
I found some examples on how to accomplish this with exclude command, but we don't want to use include command for the Radius authentication. Can we use exclude command
without include command?

I appreciate any suggestions regarding this question.
 
Sort by date Sort by votes
HI.

You need 2 different access-list.
One list (acl_outside) will remain for access control and will match the access-group command,
while the other (aaalist) will be used only to define which traffic should be authenticated and will match the aaa command.

This or similar should do the trick:

access-list aaalist deny tcp host 192.168.0.10 host 10.0.0.9 eq www
access-list aaalist permit tcp any host 10.0.0.9 eq www

aaa authentication match aaalist outside RADIUS


Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
704
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
535
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
463
Nitta84
Nitta84
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
735
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
122
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top