Pix 515 and Authorization

[notbroken]

Inside my corporate network, I have a pix 515 that sits in front of x.x.23.0 controls network.

Certain engineers need access to the controls network from the outside of the pix (but still on our network).

Can I use our MS Radius server to do authorization? Any tips or documents to help me on my way?

Thanks,
Andy

 

[bell1996]

I know you can use a MS Raduis server for authentication. Which I've setup in the past. I've never setup a MS Raduis server for authorization, but I'm sure there's a way to get it done.

Are your engineers going to VPN thru the PIX to get to resources on the inside?

 

[notbroken]

Maybe I have my terminology incorrect (authorize vs authenticate).

No, the engineers will not be using the pix to vpn.

The engineers have requested that they be able to sit at their desk or be wirelessly connected to our main network, then be able to connect to the inside (controls network) of the pix.

Since they need to be wireless, I cannot give them a static ip and only allow those addresses in. They will always be logged into our main network, so I was hoping to use our Radius server to set who is allowed to the inside of the pix.

Hopefully I am making sense.

Thanks,
Andy

 

[notbroken]

I was able to find a solution. Use the LOCAL pix aaa authentication.

relevant sections from config:

:needed to allow traffic to telnet for auth
access-list in-acl remark - ACL to allow all traffic in
access-list in-acl permit ip any any
:what can a user do once authenticated
access-list in-acl-aaa permit ip any any
~~~~~
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication match in-acl-aaa outside LOCAL
~~~~~
virtual telnet 147.116.12.243
~~~~~
username admin password Qrz7 encrypted privilege 2

Hope this helps someone else.

Andy