- •Icons Used in This Book
- •Network Security
- •Vulnerabilities
- •Threats
- •Types of Attacks
- •Network Security Policy
- •AVVID and SAFE
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Firewall Technologies
- •Cisco PIX Firewall
- •Foundation Summary
- •The Cisco Secure PIX Firewall
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of the Cisco PIX Firewall
- •Cisco PIX Firewall Models and Features
- •Foundation Summary
- •System Maintenance
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Accessing the Cisco PIX Firewall
- •Installing a New Operating System
- •Upgrading the Cisco PIX OS
- •Creating a Boothelper Diskette Using a Windows PC
- •Auto Update Support
- •Password Recovery
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How the PIX Firewall Handles Traffic
- •Address Translation
- •Translation Versus Connection
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Access Modes
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •TurboACL
- •Object Grouping
- •Advanced Protocol Handling
- •Foundation Summary
- •Syslog
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How Syslog Works
- •How Log Messages Are Organized
- •How to Read System Log Messages
- •Disabling Syslog Messages
- •Foundation Summary
- •Cisco PIX Firewall Failover
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •What Causes a Failover Event
- •What Is Required for a Failover Configuration
- •Failover Monitoring
- •Stateful Failover
- •LAN-Based Failover
- •Foundation Summary
- •Virtual Private Networks
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of VPN Technologies
- •Cisco VPN Client
- •PPPoE Support
- •Foundation Summary
- •Scenario
- •Completed PIX Configurations
- •PIX Device Manager
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •PDM Overview
- •PIX Firewall Requirements to Run PDM
- •Foundation Summary
- •Content Filtering with the Cisco PIX Firewall
- •“Do I Know This Already?” Quiz
- •Filtering Java Applets
- •Filtering ActiveX Objects
- •Filtering URLs
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of AAA and the Cisco PIX Firewall
- •Cisco Secure Access Control Server (CSACS)
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Specifying Your AAA Servers
- •Troubleshooting Your AAA Setup
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Multimedia Support on the Cisco PIX Firewall
- •Attack Guards
- •PIX Firewall’s Intrusion Detection Feature
- •ip verify reverse-path Command
- •Foundation Summary
- •Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
- •Chapter 1
- •Chapter 2
- •Chapter 3
- •Chapter 4
- •Chapter 5
- •Chapter 6
- •Chapter 7
- •Chapter 8
- •Chapter 9
- •Chapter 10
- •Chapter 11
- •Chapter 12
- •Chapter 13
- •Chapter 14
- •Chapter 15
- •Appendix B
- •What’s Wrong with This Picture?
Foundation Summary 307
Foundation Summary
The Cisco PIX Firewall and the CSACS combine to make an effective AAA solution. The aaa-server command configures the PIX Firewall to communicate with the AAA server. This command determines the authentication protocol used between the PIX and the AAA server, the IP address of the AAA server, and the group_tag or the name of the group the AAA server is in. The PIX can group up to 14 servers and handle up to 14 server groups. The CSACS is installed on either a Windows NT server or Windows 2000 server. It considers itself a AAA server and the PIX Firewall the AAA client. Command-line entries are put on the PIX Firewall to configure authentication, authorization, and accounting. User accounts, groups, logging, and downloadable PIX ACLs are all configured on the CSACS. Although you can assign authorization to individual users, it is recommended that you assign users to groups and assign authorization rules to the groups.
There are three main steps for troubleshooting AAA issues:
•
•
•
Verify connectivity between the PIX and the CSACS.
Verify the configuration of the Cisco PIX Firewall.
Verify the configuration of the CSACS.
Table 14-1 outlines the commands and syntax necessary to configure the Cisco PIX Firewall as a NAS.
Table 14-1 Commands to Configure the Cisco PIX Firewall as a NAS
Command |
Description |
|
|
aaa authentication include | exclude |
Implements AAA authentication to include or |
authen_service inbound | outbound if_name |
exclude a specific service that is inbound or |
local_ip local_mask foreign_ip foreign_mask |
outbound in a specific interface for a specific |
group_tag |
source and destination address assigned to a |
|
specific AAA server group as assigned by the |
|
group tag. |
|
|
aaa authentication match acl_name inbound | |
Matches the requirement for AAA |
outbound if_name group_tag |
authentication with a specific access control |
|
list. |
|
|
show aaa |
Displays your AAA configuration. |
|
|
debug aaa authentication |
Displays the authentication communication |
|
between the NAS and the AAA server. |
|
|
aaa authorization include | exclude |
Implements AAA authorization to include or |
author_service inbound | outbound if_name |
exclude a specific service that is inbound or |
local_ip local_mask foreign_ip foreign_mask |
outbound in a specific interface for a specific |
group_tag |
source and destination address assigned to a |
|
specific AAA server group as assigned by the |
|
group tag. |
|
|
continues
308 Chapter 14: Configuration of AAA on the Cisco PIX Firewall
Table 14-1 Commands to Configure the Cisco PIX Firewall as a NAS (Continued)
Command |
Description |
|
|
aaa authorization match acl_name inbound | |
Matches the requirement for AAA |
outbound if_name group_tag |
authorization with a specific access control |
|
list. |
|
|
debug aaa authorization |
Displays the authorization communication |
|
between the NAS and the AAA server. |
|
|
aaa accounting include | exclude author_service |
Implements AAA accounting to include or |
inbound | outbound if_name local_ip local_mask |
exclude a specific service that is inbound or |
foreign_ip foreign_mask group_tag |
outbound in a specific interface for a specific |
|
source and destination address assigned to a |
|
specific AAA server group as assigned by the |
|
group tag. |
|
|
aaa accounting match acl_name inbound | |
Matches the requirement for AAA accounting |
outbound if_name group_tag |
with a specific access control list. |
|
|
show accounting |
Steps through individual recorded logs. |
|
|
debug aaa accounting |
Displays the accounting communication |
|
between the NAS and the AAA server. |
|
|
The commands listed in Table 14-2 let you display protocol-specific communication between the NAS (PIX Firewall) and the AAA server.
Table 14-2 Commands to Display Communication Between the Cisco PIX Firewall and the AAA Server
Command Description
debug tacacs Debugs TACACS communications between the PIX and the AAA server.
debug radius Debugs RADIUS communications between the PIX and the AAA server.
Q&A 309
Q&A
The questions in this section do not attempt to cover more breadth or depth than the exam; however, they are designed to make sure that you know the answer. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and then guess. Be sure to use the CD and take the simulated exams.
The answers to these questions can be found in Appendix A.
1What is the best way to authenticate an H.323 connection?
A Authenticate to the H.323 server.
BTelnet to the H.323 server.
CVirtual Telnet to the PIX for authentication.
DVirtual HTTP to the CSACS for authentication.
2What is the total number of AAA servers that the PIX can connect to?
3How do you disable caching of user authentication?
4What happens to virtual HTTP if you disable timeout uauth absolute?
5How can you tell you have configured your NAS to authenticate using RADIUS in the CSACS by looking at the Shared Profile Components tab?
6What are the two default password authentication databases configured on the CSACS?
7What PIX command establishes the authentication protocol to be used with the AAA server?
8Which options are mandatory in every aaa authentication command on the PIX Firewall? (Select all that apply.)
Ainclude/exclude
Binbound/outbound
Clocal_ip/mask
Dgroup_tag
Eacl_name
9True or false: You can restrict local access to the PIX Firewall using CSACS.
10How do you configure client IP address assignment on the CSACS when using the PIX Firewall as the AAA client?
310 Chapter 14: Configuration of AAA on the Cisco PIX Firewall
11By default, what is the maximum number of sessions allowed for a user who is configured on the CSACS?
12Why is it a good idea to rename your groups in CSACS?
13Where do you see the logs on the CSACS?
14You are installing CSACS on your new Windows 2000 Professional, but you cannot get it to load correctly. What is most likely the problem?
ACSACS requires server software.
BYour patch level is not up to date.
CYou are running a personal firewall or host-based IDS that is blocking the installation.
DYou do not have administrative privileges on that system.
EAll of the above
15 True or false: The CSACS comes with its own online documentation.
This chapter covers the following exam topics for the Secure PIX Firewall Advanced Exam (CSPFA 9E0-111):
26.Multimedia support
27.Attack guards
28.Intrusion detection