I am trying to configure my PIX 515 to authenticate via my W2K3 IAS server using radius.
On the IAS, I have configured the PIX as a client and have created an access policy with based on group membership. The profile of this policy has only the "unencrypted authentication" option selected and under the Advanced tab I have two parameters configured:
Cisco-AV-Pair, CISCO, shell
riv-lvl=1
Service-Type, RADIUS STANDARD, Login
This is my PIX config:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password GpCqPA0Ds/rdSxBT encrypted
passwd GpCqPA0Ds/rdSxBT encrypted
hostname pixfirewall
domain-name allegrone.local
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside permit tcp 192.168.0.0 255.255.255.0 any eq www
access-list inside permit tcp 192.168.0.0 255.255.255.0 any eq domain
access-list inside permit udp 192.168.0.0 255.255.255.0 any eq domain
access-list inside permit tcp 192.168.0.0 255.255.255.0 any eq 443
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 64.78.61.30 eq 135
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 64.78.61.30 eq 1225
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 64.78.61.30 eq 1226
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 64.78.61.30 eq 1227
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 64.78.61.30 eq 1228
access-list inside permit tcp 192.168.0.0 255.255.255.0 any eq ftp-data
access-list inside permit tcp 192.168.0.0 255.255.255.0 any eq ftp
access-list inside permit udp 192.168.0.0 255.255.255.0 host 12.165.125.114 eq 2
298
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 12.165.125.114 eq 2
298
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 12.161.125.114 eq 2
298
access-list inside permit udp 192.168.0.0 255.255.255.0 host 12.161.125.114 eq 2
298
access-list inside permit tcp host 192.168.0.110 host 64.78.61.30 eq smtp
access-list inside permit tcp host 192.168.0.10 host 64.78.61.30 eq smtp
access-list inside permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list inside permit tcp 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.
0
access-list inside permit udp 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.
0
access-list inside permit icmp 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255
.0
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 10.0.0.11 eq www
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 10.0.0.11 eq 443
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 10.0.0.11 eq 81
access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.254.0
access-list NONAT permit ip 192.168.0.0 255.255.254.0 host 10.0.0.11
access-list NONAT permit ip host 10.0.0.11 192.168.0.0 255.255.254.0
access-list NONAT permit ip 192.168.2.0 255.255.254.0 host 10.0.0.11
access-list NONAT permit ip host 10.0.0.11 192.168.2.0 255.255.254.0
access-list NONAT permit ip 192.168.0.0 255.255.255.0 host 10.0.0.100
access-list NONAT permit ip host 10.0.0.100 192.168.0.0 255.255.255.0
access-list NONAT permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list dmz permit icmp host 10.0.0.100 192.168.0.0 255.255.255.0
access-list dmz permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list dmz permit icmp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list dmz permit tcp host 10.0.0.11 any eq www
access-list dmz permit tcp host 10.0.0.11 any eq 443
access-list dmz permit tcp host 10.0.0.11 any eq domain
access-list dmz permit udp host 10.0.0.11 host 192.168.0.10 eq domain
access-list outside permit tcp any host 24.105.166.116 eq www
access-list outside permit icmp any host 24.105.166.116 echo-reply
access-list outside permit tcp any host 24.105.166.116 eq 3389
access-list outside permit tcp any host 24.105.166.116 eq 443
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.105.166.118 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip address dmz 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.105.166.117
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list NONAT
nat (dmz) 1 192.168.0.0 255.255.0.0 0 0
static (dmz,outside) 24.105.166.116 10.0.0.11 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 24.105.166.113 1
route dmz 192.168.6.0 255.255.255.0 10.0.0.100 1
route dmz 192.168.8.0 255.255.255.0 10.0.0.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server default protocol radius
aaa-server default (inside) host 192.168.0.12 XXXXXXXX timeout 10
aaa authentication telnet console default
http 192.168.0.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:b0bbc99dc1a14f29302fcbb2eb2f782e
When I try to login via telnet w/ an account that is a member of the authorized group, it says loging incorrect.
This is the log output generated by IAS upon PIX login attempt (CSV format):
"ACCAPPS","IAS",07/23/2004,12:25:16,1,"jcculliton","allegrone.local/Accounts/Administrators/James C. Culliton",,,,,,"192.168.0.1",5,0,"192.168.0.1","CiscoPIX",,,,,,,1,,0,"311 1 192.168.0.12 07/23/2004 15:32:35 10",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,
"ACCAPPS","IAS",07/23/2004,12:25:16,3,,"allegrone.local/Accounts/Administrators/James C. Culliton",,,,,,,,0,"192.168.0.1","CiscoPIX",,,,,,,1,"CiscoAccessPolicy",65,"311 1 192.168.0.12 07/23/2004 15:32:35 10",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
Any ideas as to what I'm doing wrong? Thanks.
On the IAS, I have configured the PIX as a client and have created an access policy with based on group membership. The profile of this policy has only the "unencrypted authentication" option selected and under the Advanced tab I have two parameters configured:
Cisco-AV-Pair, CISCO, shell
riv-lvl=1Service-Type, RADIUS STANDARD, Login
This is my PIX config:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password GpCqPA0Ds/rdSxBT encrypted
passwd GpCqPA0Ds/rdSxBT encrypted
hostname pixfirewall
domain-name allegrone.local
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside permit tcp 192.168.0.0 255.255.255.0 any eq www
access-list inside permit tcp 192.168.0.0 255.255.255.0 any eq domain
access-list inside permit udp 192.168.0.0 255.255.255.0 any eq domain
access-list inside permit tcp 192.168.0.0 255.255.255.0 any eq 443
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 64.78.61.30 eq 135
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 64.78.61.30 eq 1225
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 64.78.61.30 eq 1226
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 64.78.61.30 eq 1227
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 64.78.61.30 eq 1228
access-list inside permit tcp 192.168.0.0 255.255.255.0 any eq ftp-data
access-list inside permit tcp 192.168.0.0 255.255.255.0 any eq ftp
access-list inside permit udp 192.168.0.0 255.255.255.0 host 12.165.125.114 eq 2
298
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 12.165.125.114 eq 2
298
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 12.161.125.114 eq 2
298
access-list inside permit udp 192.168.0.0 255.255.255.0 host 12.161.125.114 eq 2
298
access-list inside permit tcp host 192.168.0.110 host 64.78.61.30 eq smtp
access-list inside permit tcp host 192.168.0.10 host 64.78.61.30 eq smtp
access-list inside permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list inside permit tcp 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.
0
access-list inside permit udp 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.
0
access-list inside permit icmp 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255
.0
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 10.0.0.11 eq www
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 10.0.0.11 eq 443
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 10.0.0.11 eq 81
access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.254.0
access-list NONAT permit ip 192.168.0.0 255.255.254.0 host 10.0.0.11
access-list NONAT permit ip host 10.0.0.11 192.168.0.0 255.255.254.0
access-list NONAT permit ip 192.168.2.0 255.255.254.0 host 10.0.0.11
access-list NONAT permit ip host 10.0.0.11 192.168.2.0 255.255.254.0
access-list NONAT permit ip 192.168.0.0 255.255.255.0 host 10.0.0.100
access-list NONAT permit ip host 10.0.0.100 192.168.0.0 255.255.255.0
access-list NONAT permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list dmz permit icmp host 10.0.0.100 192.168.0.0 255.255.255.0
access-list dmz permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list dmz permit icmp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list dmz permit tcp host 10.0.0.11 any eq www
access-list dmz permit tcp host 10.0.0.11 any eq 443
access-list dmz permit tcp host 10.0.0.11 any eq domain
access-list dmz permit udp host 10.0.0.11 host 192.168.0.10 eq domain
access-list outside permit tcp any host 24.105.166.116 eq www
access-list outside permit icmp any host 24.105.166.116 echo-reply
access-list outside permit tcp any host 24.105.166.116 eq 3389
access-list outside permit tcp any host 24.105.166.116 eq 443
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.105.166.118 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip address dmz 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.105.166.117
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list NONAT
nat (dmz) 1 192.168.0.0 255.255.0.0 0 0
static (dmz,outside) 24.105.166.116 10.0.0.11 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 24.105.166.113 1
route dmz 192.168.6.0 255.255.255.0 10.0.0.100 1
route dmz 192.168.8.0 255.255.255.0 10.0.0.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server default protocol radius
aaa-server default (inside) host 192.168.0.12 XXXXXXXX timeout 10
aaa authentication telnet console default
http 192.168.0.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:b0bbc99dc1a14f29302fcbb2eb2f782e
When I try to login via telnet w/ an account that is a member of the authorized group, it says loging incorrect.
This is the log output generated by IAS upon PIX login attempt (CSV format):
"ACCAPPS","IAS",07/23/2004,12:25:16,1,"jcculliton","allegrone.local/Accounts/Administrators/James C. Culliton",,,,,,"192.168.0.1",5,0,"192.168.0.1","CiscoPIX",,,,,,,1,,0,"311 1 192.168.0.12 07/23/2004 15:32:35 10",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,
"ACCAPPS","IAS",07/23/2004,12:25:16,3,,"allegrone.local/Accounts/Administrators/James C. Culliton",,,,,,,,0,"192.168.0.1","CiscoPIX",,,,,,,1,"CiscoAccessPolicy",65,"311 1 192.168.0.12 07/23/2004 15:32:35 10",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
Any ideas as to what I'm doing wrong? Thanks.