Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Published byAshlee Baldwin Modified over 8 years ago

Similar presentations

Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 6 – Configure Trust and Identity at Layer 3

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 6.1 Cisco IOS Firewall Authentication Proxy 6.2 Introduction to PIX Security Appliance AAA Features 6.3 Configure AAA on the PIX Security Appliance

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 6 – Configure Trust and Identity at Layer 3 6.1 Cisco IOS Firewall Authentication Proxy

5 5 © 2005 Cisco Systems, Inc. All rights reserved. What Is the Authentication Proxy? HTTP, HTTPS, FTP, and Telnet authentication Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols Once authenticated, all types of application traffic can be authorized Works on any interface type for inbound or outbound traffic

6 6 © 2005 Cisco Systems, Inc. All rights reserved. RADIUSTACACS+ Cisco Secure ACS UNIX Cisco Secure ACS NT/2000 Supported AAA Servers TACACS + Freeware LucentLucent Cisco Secure ACS UNIX Cisco Secure ACS NT/2000

7 7 © 2005 Cisco Systems, Inc. All rights reserved. Create auth-proxy Service in the Cisco Secure ACS Enter the new service: auth-proxy.

8 8 © 2005 Cisco Systems, Inc. All rights reserved. aaa new-model Enable AAA Enables the AAA functionality on the router (default = disabled) Router(config)#

9 9 © 2005 Cisco Systems, Inc. All rights reserved. aaa authentication login default method1 [method2] Specify Authentication Protocols Defines the list of authentication methods that will be used Methods: TACACS+, RADIUS, or both Router(config)# aaa authentication login default group tacacs+ Router(config)#

10 10 © 2005 Cisco Systems, Inc. All rights reserved. aaa authorization auth-proxy default method1 [method2] Specify Authorization Protocols Use the auth-proxy keyword to enable authorization proxy for AAA methods Methods: TACACS+, RADIUS, or both Router(config)# Router(config)# aaa authorization auth-proxy default group tacacs+

11 11 © 2005 Cisco Systems, Inc. All rights reserved. tacacs-server host ip_addr Define a TACACS+ Server and Its Key Specifies the TACACS+ server IP address Specifies the TACACS+ server key Router(config)# Router(config)# tacacs-server host 10.0.0.3 Router(config)# tacacs-server key secretkey tacacs-server key string Router(config)#

12 12 © 2005 Cisco Systems, Inc. All rights reserved. Define a RADIUS Server and Its Key Specifies the RADIUS server IP address Specifies the RADIUS server key Router(config)# radius-server host 10.0.0.3 Router(config)# radius-server key secretkey radius-server host ip_addr Router(config)# radius-server key string Router(config)#

13 13 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# access-list 111 permit tcp host 10.0.0.3 eq tacacs host 10.0.0.1 Router(config)# access-list 111 permit icmp any any Router(config)# access-list 111 deny ip any any Router(config)# interface ethernet0/0 Router(config-if)# ip access-group 111 in Allow AAA Traffic to the Router Create an ACL to permit TACACS+ traffic from the AAA server to the firewall Source address = AAA server Destination address = interface where the AAA server resides May want to permit ICMP Deny all other traffic Apply the ACL to the interface on the side where the AAA server resides

14 14 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# ip http server Router(config)# ip http authentication aaa Enable the Router HTTP or HTTPS Server Enables the HTTP server on the router Sets the HTTP server authentication method to AAA Proxy uses HTTP server for communication with a client ip http server Router(config)# ip http authentication aaa Router(config)# ip http secure-server Router(config)# Enables the HTTPS server on the router

15 15 © 2005 Cisco Systems, Inc. All rights reserved. ip auth-proxy {inactivity-timer min | absolute-timer min} Authentication inactivity timer in minutes (default = 60 minutes) Absolute activity timer in minutes (default = 0 minutes) Set Global Timers Router(config)# Router(config)# ip auth-proxy inactivity- timer 120

16 16 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# ip auth-proxy name aprule http Router(config)# interface ethernet0 Router(config-if)# ip auth-proxy aprule Define and Apply Authentication Proxy Rules Creates an authorization proxy rule Applies an authorization proxy rule to an interface For outbound authentication, apply to inside interface For inbound authentication, apply to outside interface ip auth-proxy name auth-proxy-name {ftp | http | telnet} [inactivity-time min] [absolute- timer min][list {acl | acl-name}] Router(config)# ip auth-proxy auth-proxy-name Router(config-if)#

17 17 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Proxy Rules with ACLs Creates an authorization proxy rule with an access list ip auth-proxy name auth-proxy-name http list {acl-num | acl-name} Router(config)# Router(config)# ip auth-proxy name aprule http list 10 Router(config)# access-list 10 permit 10.0.0.0 0.0.0.255 Router(config)# interface ethernet0 Router(config-if)# ip auth-proxy aprule

18 18 © 2005 Cisco Systems, Inc. All rights reserved. Module 6 – Configure Trust and Identity at Layer 3 6.2 Introduction to PIX Security Appliance AAA Features

19 19 © 2005 Cisco Systems, Inc. All rights reserved. Types of Authentication

20 20 © 2005 Cisco Systems, Inc. All rights reserved. Types of Authorization

21 21 © 2005 Cisco Systems, Inc. All rights reserved. Types of Accounting

22 22 © 2005 Cisco Systems, Inc. All rights reserved. AAA Server Support

23 23 © 2005 Cisco Systems, Inc. All rights reserved. Module 6 – Configure Trust and Identity at Layer 3 6.3 Configure AAA on the PIX Security Appliance

24 24 © 2005 Cisco Systems, Inc. All rights reserved. Types of Access Authentication

25 25 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Configuration Steps

26 26 © 2005 Cisco Systems, Inc. All rights reserved. Add Users to the Local User Database

27 27 © 2005 Cisco Systems, Inc. All rights reserved. Cut-Through Proxy

28 28 © 2005 Cisco Systems, Inc. All rights reserved. Authentication of Non-Telnet, FTP, or HTTP Traffic

29 29 © 2005 Cisco Systems, Inc. All rights reserved. User Authorization

30 30 © 2005 Cisco Systems, Inc. All rights reserved. Downloadable ACLs

31 31 © 2005 Cisco Systems, Inc. All rights reserved. Enable Accounting Match

32 32 © 2005 Cisco Systems, Inc. All rights reserved. Admin Accounting

33 33 © 2005 Cisco Systems, Inc. All rights reserved. Command Accounting

34 34 © 2005, Cisco Systems, Inc. All rights reserved.

Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."

Similar presentations

Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.


S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.

CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.08 Access Control Lists - Introduction.

CISCO NETWORKING ACADEMY Chabot College ELEC Access Control Lists - Introduction.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 5 City College.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 5 City College.
© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..

Similar presentations

Ads by Google