Configure AAA on the PIX Security Appliance
Troubleshooting the AAA configuration

Use the show uauth command to display one or all currently authenticated users, the host IP to which they are bound, and any cached IP and port authorization information. In the example in Figure , aaauser with an IP address of 192.168.2.10 is authenticated.

To display AAA server statistics for all configured server groups, or for a particular group, use the aaa-server command. In the example in Figure , the top portion the show aaa-server statistic, displays the server statistics. The bottom portion displays the server messaging statistics. In the example in Figure , the server group is NY_ACS. It uses TACACS+ protocol, has an IP address of 10.0.1.10, uses server port number 49 for messaging, and is active. There are two requests, two challenges, and two accept messages.

The administrator can also view the aaa-server messaging statistics. In the example in Figure , there was an authentication request, a challenge, and an accept message. There were no rejects or re-transmissions.

Troubleshooting Downloaded ACLs
Once a user is authenticated, the administrator can view the downloaded ACL using the show access-list command. In the example in Figure , the user at 192.168.1.10 attempts to gain access to web server at 192.168.2.10. After an end user enters their username and password, the PIX Security Appliance forwards their credentials to the ACS server. If the end user is authenticated, the ACS server downloads a pre-configured ACL, #ACSACL#-IP- RADIUSAUTH-3ddb8ab6, to the PIX. The ACL name is the name for the ACL as defined in the SPC, #ACSACL#-IP- RADIUSAUTH, and the unique version identification, 3ddb8ab6. In this example, the end user is authorized to access 192.168.2.10 using HTTP.

The show uauth command can be used to view the authenticated end user, their IP address, and the matching downloaded ACL.


Lab Activity

Lab Exercise: Configure AAA on the PIX Security Appliance Using Cisco Secure ACS for Windows 2000

In this lab, students will configure and test inbound and outbound authentication, console access and Virtual Telnet authentication, as well as authorization and accounting. Students will also learn to change and test authentication timeouts and prompts.