1. 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

2. 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 6 – Configure Trust and Identity at Layer 3

3. 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 6.1 Cisco IOS Firewall Authentication Proxy 6.2 Introduction to PIX Security Appliance AAA Features 6.3 Configure AAA on the PIX Security Appliance

4. 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 6 – Configure Trust and Identity at Layer 3 6.1 Cisco IOS Firewall Authentication Proxy

5. 5 © 2005 Cisco Systems, Inc. All rights reserved. What Is the Authentication Proxy?

6. 6 © 2005 Cisco Systems, Inc. All rights reserved. Using the Authentication Proxy

7. 7 © 2005 Cisco Systems, Inc. All rights reserved. Supported AAA Servers

8. 8 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Proxy Configuration

9. 9 © 2005 Cisco Systems, Inc. All rights reserved. Create auth-proxy Service in the Cisco Secure ACS Enter the new service: auth-proxy.

10. 10 © 2005 Cisco Systems, Inc. All rights reserved. Enable AAA

11. 11 © 2005 Cisco Systems, Inc. All rights reserved. Specify Authentication Protocols

12. 12 © 2005 Cisco Systems, Inc. All rights reserved. aaa authorization auth-proxy default method1 [method2] Specify Authorization Protocols Use the auth-proxy keyword to enable authorization proxy for AAA methods Methods: TACACS+, RADIUS, or both Router(config)# Router(config)# aaa authorization auth-proxy default group tacacs+

13. 13 © 2005 Cisco Systems, Inc. All rights reserved. tacacs-server host ip_addr Define a TACACS+ Server and Its Key Specifies the TACACS+ server IP address Specifies the TACACS+ server key Router(config)# Router(config)# tacacs-server host 10.0.0.3 Router(config)# tacacs-server key secretkey tacacs-server key string Router(config)#

14. 14 © 2005 Cisco Systems, Inc. All rights reserved. Define a RADIUS Server and Its Key Specifies the RADIUS server IP address Specifies the RADIUS server key Router(config)# radius-server host 10.0.0.3 Router(config)# radius-server key secretkey radius-server host ip_addr Router(config)# radius-server key string Router(config)#

15. 15 © 2005 Cisco Systems, Inc. All rights reserved. Allow AAA Traffic to the Router

16. 16 © 2005 Cisco Systems, Inc. All rights reserved. Enable the Router HTTP or HTTPS Server

17. 17 © 2005 Cisco Systems, Inc. All rights reserved. Set Global Timers

18. 18 © 2005 Cisco Systems, Inc. All rights reserved. Define and Apply Authentication Proxy Rules

19. 19 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Proxy Rules with ACLs

20. 20 © 2005 Cisco Systems, Inc. All rights reserved. Test and verify authentication proxy

21. 21 © 2005 Cisco Systems, Inc. All rights reserved. Module 6 – Configure Trust and Identity at Layer 3 6.2 Introduction to PIX Security Appliance AAA Features

22. 22 © 2005 Cisco Systems, Inc. All rights reserved. Types of Authentication

23. 23 © 2005 Cisco Systems, Inc. All rights reserved. Types of Authorization

24. 24 © 2005 Cisco Systems, Inc. All rights reserved. Types of Accounting

25. 25 © 2005 Cisco Systems, Inc. All rights reserved. AAA Server Support

26. 26 © 2005 Cisco Systems, Inc. All rights reserved. Module 6 – Configure Trust and Identity at Layer 3 6.3 Configure AAA on the PIX Security Appliance

27. 27 © 2005 Cisco Systems, Inc. All rights reserved. Types of Access Authentication

28. 28 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Configuration Steps

29. 29 © 2005 Cisco Systems, Inc. All rights reserved. Specify an AAA server group

30. 30 © 2005 Cisco Systems, Inc. All rights reserved. Designate an Authentication server

31. 31 © 2005 Cisco Systems, Inc. All rights reserved. Authentication of console access

32. 32 © 2005 Cisco Systems, Inc. All rights reserved. Add Users to the Local User Database

33. 33 © 2005 Cisco Systems, Inc. All rights reserved. Maximum failed attempts

34. 34 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Prompts

35. 35 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Timeouts

36. 36 © 2005 Cisco Systems, Inc. All rights reserved. Cut-Through Proxy

37. 37 © 2005 Cisco Systems, Inc. All rights reserved. Authentication of Non-Telnet, FTP, or HTTP Traffic

38. 38 © 2005 Cisco Systems, Inc. All rights reserved. Virtual Telnet

39. 39 © 2005 Cisco Systems, Inc. All rights reserved. Virtual HTTP

40. 40 © 2005 Cisco Systems, Inc. All rights reserved. Tunnel User Authentication

41. 41 © 2005 Cisco Systems, Inc. All rights reserved. User Authorization

42. 42 © 2005 Cisco Systems, Inc. All rights reserved. TACACS+ Authorization configuration

43. 43 © 2005 Cisco Systems, Inc. All rights reserved. Enable Authorization match

44. 44 © 2005 Cisco Systems, Inc. All rights reserved. Authorization of Non-Telnet, FTP, HTTP, or HTTPS Traffic

45. 45 © 2005 Cisco Systems, Inc. All rights reserved. Downloadable ACLs

46. 46 © 2005 Cisco Systems, Inc. All rights reserved. Using Downloadable ACLs

47. 47 © 2005 Cisco Systems, Inc. All rights reserved. Enable Accounting Match

48. 48 © 2005 Cisco Systems, Inc. All rights reserved. Enable Accounting Include, Exclude

49. 49 © 2005 Cisco Systems, Inc. All rights reserved. Admin Accounting

50. 50 © 2005 Cisco Systems, Inc. All rights reserved. Command Accounting

51. 51 © 2005 Cisco Systems, Inc. All rights reserved. Troubleshooting AAA Configuration – Show uauth

52. 52 © 2005 Cisco Systems, Inc. All rights reserved. show aaa-server

53. 53 © 2005 Cisco Systems, Inc. All rights reserved. Troubleshooting Downloaded ACLs

54. 54 © 2005, Cisco Systems, Inc. All rights reserved.