PIX 515 with AAA Authentication of VPN Users

PIX 515 with AAA Authentication of VPN Users

Post by Mike Bulloc » Sat, 25 Aug 2001 13:59:03



Hello,
        I have been working with implementing a PIX 515 in a failover
configuration using IOS 6.0.1. What I am trying to attempt is to have
users create a VPN tunnel (either PPTP or IPsec using Cisco Client
3.0), have AAA Authenticate them, apply an access list to them to
control their access, and finally assign them an IP Address based on
their username. I have gotton everything working except the static ip
assignment using the following config:

Cisco ACS Server 2.6 running on Win2k Server, TACACS+ configed
IPSec client, using IPsec vpngroup command
I apply acls to the groups through ACS and it works.

I am wondering if the PIX has the capability to assign IP Addresses
based on username. I know a VPN Concentrator would do it, but this is
for such a small pool of users it would be a waste of money (and rack
space!!!). If anyone could assist me, it would be greatly appreciated.

- Mike Bullock

 
 
 

PIX 515 with AAA Authentication of VPN Users

Post by Tim Smit » Sun, 26 Aug 2001 10:07:14


Hey Mike,

Post your conifg for us, I have exactly the same setup (minus the failover).

Cheers,
Tim


> Hello,
> I have been working with implementing a PIX 515 in a failover
> configuration using IOS 6.0.1. What I am trying to attempt is to have
> users create a VPN tunnel (either PPTP or IPsec using Cisco Client
> 3.0), have AAA Authenticate them, apply an access list to them to
> control their access, and finally assign them an IP Address based on
> their username. I have gotton everything working except the static ip
> assignment using the following config:

> Cisco ACS Server 2.6 running on Win2k Server, TACACS+ configed
> IPSec client, using IPsec vpngroup command
> I apply acls to the groups through ACS and it works.

> I am wondering if the PIX has the capability to assign IP Addresses
> based on username. I know a VPN Concentrator would do it, but this is
> for such a small pool of users it would be a waste of money (and rack
> space!!!). If anyone could assist me, it would be greatly appreciated.

> - Mike Bullock



 
 
 

PIX 515 with AAA Authentication of VPN Users

Post by Mike Bulloc » Sun, 26 Aug 2001 14:20:04


You asked for it, you got it! I edited it to protect our companys
identity.

I appreciate any help! This setup work for Cisco Client 3.0+ and PPTP
clients to authenticate. Cisco Clients get the ACL APIDev_acl applied
to them (yeah, it know it is ip any any...that is just for testing!).

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 field security50
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password abcde encrypted
passwd fghijk encrypted
hostname
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_out permit icmp any any echo-reply
...More acl_out for static maps...
access-list acl_out permit icmp any any time-exceeded
access-list acl_inside_NoNat permit ip host 192.168.0.49 10.1.0.0
255.255.255.0
access-list APIDev_acl permit ip any any
access-list acl_APIDev_SplitTunnel permit ip host 192.168.0.49
10.1.0.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging host inside 192.168.0.90
interface ethernet0 10baset
interface ethernet1 100basetx
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 100full
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
mtu field 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside <Outside Addr>
ip address inside 192.168.0.5 255.255.255.0
ip address field 10.1.1.1 255.255.255.0
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 1.1.1.5 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
ip local pool APIDev_Pool 10.1.0.1-10.1.0.254
failover Stuff....
pdm history enable
arp timeout 14400
global (outside) 1 <outside PAT>
nat (inside) 0 access-list acl_inside_NoNat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
...Static Mappings...
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 <Def Gate>
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthACS1 protocol tacacs+
aaa-server AuthACS1 (inside) host 192.168.0.198 password timeout 5
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set APIDev_set esp-des esp-sha-hmac
crypto dynamic-map APIDev_dynmap 10 set transform-set APIDev_set
crypto map APIDev_map 10 ipsec-isakmp dynamic APIDev_dynmap
crypto map APIDev_map client configuration address initiate
crypto map APIDev_map client configuration address respond
crypto map APIDev_map client authentication AuthACS1
crypto map APIDev_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup APIDev address-pool APIDev_pool
vpngroup APIDev split-tunnel acl_APIDev_SplitTunnel
vpngroup APIDev idle-time 86400
vpngroup APIDev password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
vpdn group APIDev_pptp accept dialin pptp
vpdn group APIDev_pptp ppp authentication mschap
vpdn group APIDev_pptp client configuration address local APIDev_Pool
vpdn group APIDev_pptp client authentication aaa AuthACS1
vpdn group APIDev_pptp pptp echo 60
vpdn enable outside
terminal width 80

On Sat, 25 Aug 2001 09:07:14 +0800, "Tim Smith"


>Hey Mike,

>Post your conifg for us, I have exactly the same setup (minus the failover).

>Cheers,
>Tim



>> Hello,
>> I have been working with implementing a PIX 515 in a failover
>> configuration using IOS 6.0.1. What I am trying to attempt is to have
>> users create a VPN tunnel (either PPTP or IPsec using Cisco Client
>> 3.0), have AAA Authenticate them, apply an access list to them to
>> control their access, and finally assign them an IP Address based on
>> their username. I have gotton everything working except the static ip
>> assignment using the following config:

>> Cisco ACS Server 2.6 running on Win2k Server, TACACS+ configed
>> IPSec client, using IPsec vpngroup command
>> I apply acls to the groups through ACS and it works.

>> I am wondering if the PIX has the capability to assign IP Addresses
>> based on username. I know a VPN Concentrator would do it, but this is
>> for such a small pool of users it would be a waste of money (and rack
>> space!!!). If anyone could assist me, it would be greatly appreciated.

>> - Mike Bullock


 
 
 

1. Pix 515 and user authentication - controlling outbound rights

We have a network of Win2K PCs and servers on a Windows 2000 Active
Directory. I am replacing our current firewall with a Pix515 (V6.1, PDM) and
would like to be able to control some of the general internet access
depending on user login name (and control some by machine name or IP)

Outbound access would not be limited to http, ftp and telnet: i need to be
able to grant or restrict access to numerous services depending on the user.

Ideally, I would like a system which ties into Adtive directory and dynamic
DHCP/DNS so that the entire process is transparent to the user.
Unfortunately I am a bit of a novice with IOS and AAA so I am looking for
advice along the lines of

a)    is it possible?
b)    if not, what is?
c)     how?

TIA

- Rob

2. JETPilot is GREAT (minireview included)

3. Different authentication server for each vpn-group (PIX 515)

4. multiple proc output without page break

5. Monitoring VPN users on PIX 515

6. looking for inkjet

7. AS5300 - Tacacs+, AAA authentication login or AAA authentication ppp or both?

8. Abit BE6 and Win2k installation problem.

9. PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC?

10. Cisco PIX 515 UR w/ 6x FE $3995 PIX 515 UR $3495

11. local user authentication for remote vpn client users on pix

12. Pix 515 AAA Radius problems

13. VPN - Easy VPN Server (PIX 515) and Hardware Client (831 Router)