Configuring interactive user authentication is a three-step process
. The three steps
are as follows:
Step 1 Specify an AAA server group. The
administrator defines a group name and the authentication
protocol.
Step 2 Designate an authentication
server. The administrator defines the location of the AAA server and a
key.
Step 3 Enable user authentication. The
administrator defines a rule to specify which security appliance access method
to authenticate and which authentication server to reference.
Specify an AAA Server Group
Use the
aaa-server command to specify AAA server groups
. For PIX
Security Appliance access authentication, the PIX supports TACACS+, RADIUS and
local database authentication. Separate groups of TACACS+ or RADIUS servers for
specifying different types of traffic can be defined, such as a TACACS+ server
for inbound traffic and another for outbound traffic. The
aaa command references the server tag to direct
authentication, authorization, or accounting traffic to the appropriate AAA
server.
Up to 15 single-mode server groups can be configured, and each
group can have up to 16 AAA servers, for a total of up to 240 TACACS+ or RADIUS
servers. When a user logs in, the servers are accessed one at a time starting
with the first server in the server group configuration, until a server
responds.
The default configuration provides the following two
aaa-server entries:
-
aaa-server TACACS+ protocol tacacs+
-
aaa-server RADIUS protocol radius
 |
NOTE:
The Security appliance listens for RADIUS on ports 1645 and 1646. If
the RADIUS server uses ports 1812 and 1813, it will need to be configured to
use ports 1645 and 1646.
|
Designate an Authentication Server
The next step is to
define the AAA server and the AAA server attributes. In the example in Figure
, there
is an AAA server that belongs to the NY_ACS group. It is located out the inside
interface and has an IP address of 10.0.0.2. The encryption key is
secretkey, and the request timeout is 10 seconds.
The
syntaxes for the aaa-server commands is shown in Figure
.
Enable
User Authentication
Use the aaa authentication
console command to require authentication verification to access the
console of the PIX Security Appliance.
Authenticated access to the PIX
Security Appliance console involves different types of prompts, depending on
the option used with the aaa authentication console
command. The syntaxes for the aaa authentication console
command is shown in Figure
.
To
configure administrative authentication to support fallback to the local user
database if all servers in the specified server group or groups are disabled,
use the aaa authentication command with the
local option specified. This feature is disabled by
default. In the example in Figure
, notice
that each access method authenticates using the NY_ACS server. In the event the
NY_ACS server is no longer accessible, the PIX Security Appliance is configured
to access the local database for console access authentication.