308 Chapter 14: Configuration of AAA on the Cisco PIX Firewall
Table 14-1 Commands to Configure the Cisco PIX Firewall as a NAS (Continued)
Command |
Description |
|
|
aaa authorization match acl_name inbound | |
Matches the requirement for AAA |
outbound if_name group_tag |
authorization with a specific access control |
|
list. |
|
|
debug aaa authorization |
Displays the authorization communication |
|
between the NAS and the AAA server. |
|
|
aaa accounting include | exclude author_service |
Implements AAA accounting to include or |
inbound | outbound if_name local_ip local_mask |
exclude a specific service that is inbound or |
foreign_ip foreign_mask group_tag |
outbound in a specific interface for a specific |
|
source and destination address assigned to a |
|
specific AAA server group as assigned by the |
|
group tag. |
|
|
aaa accounting match acl_name inbound | |
Matches the requirement for AAA accounting |
outbound if_name group_tag |
with a specific access control list. |
|
|
show accounting |
Steps through individual recorded logs. |
|
|
debug aaa accounting |
Displays the accounting communication |
|
between the NAS and the AAA server. |
|
|
The commands listed in Table 14-2 let you display protocol-specific communication between the NAS (PIX Firewall) and the AAA server.
Table 14-2 Commands to Display Communication Between the Cisco PIX Firewall and the AAA Server
Command Description
debug tacacs Debugs TACACS communications between the PIX and the AAA server.
debug radius Debugs RADIUS communications between the PIX and the AAA server.
Q&A 309
Q&A
The questions in this section do not attempt to cover more breadth or depth than the exam; however, they are designed to make sure that you know the answer. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and then guess. Be sure to use the CD and take the simulated exams.
The answers to these questions can be found in Appendix A.
1What is the best way to authenticate an H.323 connection?
A Authenticate to the H.323 server.
BTelnet to the H.323 server.
CVirtual Telnet to the PIX for authentication.
DVirtual HTTP to the CSACS for authentication.
2What is the total number of AAA servers that the PIX can connect to?
3How do you disable caching of user authentication?
4What happens to virtual HTTP if you disable timeout uauth absolute?
5How can you tell you have configured your NAS to authenticate using RADIUS in the CSACS by looking at the Shared Profile Components tab?
6What are the two default password authentication databases configured on the CSACS?
7What PIX command establishes the authentication protocol to be used with the AAA server?
8Which options are mandatory in every aaa authentication command on the PIX Firewall? (Select all that apply.)
Ainclude/exclude
Binbound/outbound
Clocal_ip/mask
Dgroup_tag
Eacl_name
9True or false: You can restrict local access to the PIX Firewall using CSACS.
10How do you configure client IP address assignment on the CSACS when using the PIX Firewall as the AAA client?
This chapter covers the following exam topics for the Secure PIX Firewall Advanced Exam (CSPFA 9E0-111):
26.Multimedia support
27.Attack guards
28.Intrusion detection