Configure AAA on the PIX Security Appliance
Interactive user authentication

Configuring interactive user authentication is a three-step process . The three steps are as follows:

Step 1 Specify an AAA server group. The administrator defines a group name and the authentication protocol.
Step 2 Designate an authentication server. The administrator defines the location of the AAA server and a key.
Step 3 Enable user authentication. The administrator defines a rule to specify which security appliance access method to authenticate and which authentication server to reference.

Specify an AAA Server Group
Use the aaa-server command to specify AAA server groups . For PIX Security Appliance access authentication, the PIX supports TACACS+, RADIUS and local database authentication. Separate groups of TACACS+ or RADIUS servers for specifying different types of traffic can be defined, such as a TACACS+ server for inbound traffic and another for outbound traffic. The aaa command references the server tag to direct authentication, authorization, or accounting traffic to the appropriate AAA server.

Up to 15 single-mode server groups can be configured, and each group can have up to 16 AAA servers, for a total of up to 240 TACACS+ or RADIUS servers. When a user logs in, the servers are accessed one at a time starting with the first server in the server group configuration, until a server responds.

The default configuration provides the following two aaa-server entries:

  • aaa-server TACACS+ protocol tacacs+
  • aaa-server RADIUS protocol radius
NOTE:

The Security appliance listens for RADIUS on ports 1645 and 1646. If the RADIUS server uses ports 1812 and 1813, it will need to be configured to use ports 1645 and 1646.

Designate an Authentication Server
The next step is to define the AAA server and the AAA server attributes. In the example in Figure , there is an AAA server that belongs to the NY_ACS group. It is located out the inside interface and has an IP address of 10.0.0.2. The encryption key is secretkey, and the request timeout is 10 seconds.

The syntaxes for the aaa-server commands is shown in Figure .

Enable User Authentication
Use the aaa authentication console command to require authentication verification to access the console of the PIX Security Appliance.

Authenticated access to the PIX Security Appliance console involves different types of prompts, depending on the option used with the aaa authentication console command. The syntaxes for the aaa authentication console command is shown in Figure .

To configure administrative authentication to support fallback to the local user database if all servers in the specified server group or groups are disabled, use the aaa authentication command with the local option specified. This feature is disabled by default. In the example in Figure , notice that each access method authenticates using the NY_ACS server. In the event the NY_ACS server is no longer accessible, the PIX Security Appliance is configured to access the local database for console access authentication.