A few months ago I posted an article with steps to configure Windows IAS and Cisco IOS for authentication to Active Directory via RADIUS. I wanted to follow up on that with a quick overview of how to setup a PIX for management access authentication via Windows IAS and Active Directory. All of the steps for configuring IAS are identical, so I'm not going to cover that again. Remember that if you have a failover pair to add the standby partner to IAS as well. This example was built on a PIX 7.1 box, it will work on 7.X and it should be fine on FWSM 2.X or newer. I don't have something running 6.X around to test, but the configuration should be similar.

The sample configs here assume a pair of RADIUS servers at 10.1.1.10 and 10.1.1.11. On IOS there is an ip radius source-inteface command. The PIX seems to just use the interface IP of whatever interface the traffic leaves from. If your PIX has a failover partner, learns its routes dynamically, and the radius server network(s) are not directly connected, you need to add static routes to those networks to your configuration so that the failover partner will be able to communicate with the RADIUS servers when it is not active. Just assign a high administrative distance to the static routes to ensure they won't be installed in the routing table over a dynamically learned route.

The first step is to setup the aaa server group:

    aaa-server Management protocol radius
        reactivation-mode timed

I specified reactivation-mode timed which tells the PIX to add a RADIUS server it thinks is failed back into the pool after thirty seconds. The other option is to wait until all other available servers fail before retrying it. The next step is to setup the radius servers:    

aaa-server Management host 10.1.1.10
    key Ci$ko

aaa-server Management host 10.1.1.11
    key Ci$ko

Finally, setup the authentication method for the management interfaces:

aaa authentication ssh console Management LOCAL
aaa authentication serial console Management LOCAL
aaa authentication telnet console Management LOCAL

What I've specified here is to use the Management aaa-server group followed by the local user database for connections over ssh, serial, and telnet.

The final config comes out to look something like this:

aaa-server Management protocol radius
reactivation-mode timed

aaa-server Management host 10.1.1.10
key Ci$ko

aaa-server Management host 10.1.1.11
key Ci$ko

aaa authentication ssh console Management LOCAL
aaa authentication serial console Management LOCAL
aaa authentication telnet console Management LOCAL

Comments, Trackbacks, & Pingbacks

#1 re: How to Authenticate against Active Directory from a Cisco PIX

Sunday, August 31 2008 8:43 PM by balabo3_rj

#2 re: How to Authenticate against Active Directory from a Cisco PIX

Sunday, August 31 2008 8:43 PM by balabo3_rj

#3 re: How to Authenticate against Active Directory from a Cisco PIX

Monday, October 12 2009 6:36 AM by Business Directory

#4 re: How to Authenticate against Active Directory from a Cisco PIX

Friday, June 18 2010 7:20 AM by Italian translation

#5 re: How to Authenticate against Active Directory from a Cisco PIX

November 28, 2006 4:35 PM by Pierres Service » Blog Archive » how to authenticate against active directory from a cisco pix

#6 re: How to Authenticate against Active Directory from a Cisco PIX

September 10, 2007 6:16 PM by Wirelapse - Network and Wireless Technology News » Blog Archive » Bryan McLellan: active directory authentication

#7 re: How to Authenticate against Active Directory from a Cisco PIX

March 16, 2008 3:26 PM by http://briandesmond.com/blog/archive/2006/10/27/How-to-Authenticate-against-Active-Directory-from-a-Cisco-PIX.aspx

#8 re: How to Authenticate against Active Directory from a Cisco PIX

June 3, 2008 4:31 PM by cisco pix active directory