How to Authenticate against Active Directory from a Cisco PIX

A few months ago I posted an article with steps to configure Windows IAS and Cisco IOS for authentication to Active Directory via RADIUS. I wanted to follow up on that with a quick overview of how to setup a PIX for management access authentication via Windows IAS and Active Directory. All of the steps for configuring IAS are identical, so I’m not going to cover that again. Remember that if you have a failover pair to add the standby partner to IAS as well. This example was built on a PIX 7.1 box, it will work on 7.X and it should be fine on FWSM 2.X or newer. I don’t have something running 6.X around to test, but the configuration should be similar.

The sample configs here assume a pair of RADIUS servers at 10.1.1.10 and 10.1.1.11. On IOS there is an ip radius source-inteface command. The PIX seems to just use the interface IP of whatever interface the traffic leaves from. If your PIX has a failover partner, learns its routes dynamically, and the radius server network(s) are not directly connected, you need to add static routes to those networks to your configuration so that the failover partner will be able to communicate with the RADIUS servers when it is not active. Just assign a high administrative distance to the static routes to ensure they won’t be installed in the routing table over a dynamically learned route.

The first step is to setup the aaa server group:

    aaa-server Management protocol radius
        reactivation-mode timed

I specified reactivation-mode timed which tells the PIX to add a RADIUS server it thinks is failed back into the pool after thirty seconds. The other option is to wait until all other available servers fail before retrying it. The next step is to setup the radius servers:   

aaa-server Management host 10.1.1.10
    key Ci$ko

aaa-server Management host 10.1.1.11
    key Ci$ko

Finally, setup the authentication method for the management interfaces:

aaa authentication ssh console Management LOCAL
aaa authentication serial console Management LOCAL
aaa authentication telnet console Management LOCAL

What I’ve specified here is to use the Management aaa-server group followed by the local user database for connections over ssh, serial, and telnet.

The final config comes out to look something like this:

aaa-server Management protocol radius
reactivation-mode timed

aaa-server Management host 10.1.1.10
key Ci$ko

aaa-server Management host 10.1.1.11
key Ci$ko

aaa authentication ssh console Management LOCAL
aaa authentication serial console Management LOCAL
aaa authentication telnet console Management LOCAL

Share this post: email it! | digg it! | bookmark it! | live it!

Leave a Reply

Your email address will not be published. Required fields are marked *