CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Foundation Summary

The "Foundation Summary" provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this summary provides a convenient way to review the day before the exam.

The Cisco PIX Firewall and the Cisco Secure ACS combine to make an effective AAA solution. The aaa-server command configures the PIX Firewall to communicate with the AAA server. This command determines the authentication protocol used between the PIX Firewall and the AAA server, the IP address of the AAA server, and the group-tag or the name of the group the AAA server is in.

The PIX Firewall can group up to 14 servers and handle up to 14 server groups. The Cisco Secure ACS is installed on either a Windows NT server or Windows 2000 server. It considers itself an AAA server and the PIX Firewall the AAA client. Command-line entries are put on the PIX Firewall to configure authentication, authorization, and accounting. User accounts, groups, logging, and downloadable PIX ACLs are all configured on the Cisco Secure ACS. Although you can assign authorization to individual users, it is recommended that you assign users to groups and assign authorization rules to the groups.

There are three main steps for troubleshooting AAA issues:

Table 17-2 outlines the commands and syntax necessary to configure the PIX Firewall as a NAS.

Table 17-2. Commands to Configure the PIX Firewall as a NAS

Command	Description
aaa authentication include | exclude authen-service if-name local-ip local-mask foreign-ip foreign-mask group-tag	Implements AAA authentication to include or exclude a specific service that is inbound or outbound in a specific interface for a specific source and destination address assigned to a specific AAA server group as assigned by the group tag.
aaa authentication match acl-name if-name server-tag	Matches the requirement for AAA authentication with a specific ACL.
show aaa	Displays your AAA configuration.
debug aaa authentication	Displays the authentication communication between the NAS and the AAA server.
aaa authorization include | exclude author-service if-name local-ip local-mask foreign-ip foreign-mask server-tag	Implements AAA authorization to include or exclude a specific service that is inbound or outbound in a specific interface for a specific source and destination address assigned to a specific AAA server group as assigned by the group tag.
aaa authorization match acl-name inbound | outbound if-name group-tag	Matches the requirement for AAA authorization with a specific ACL.
debug aaa authorization	Displays the authorization communication between the NAS and the AAA server.
aaa accounting include | exclude author-service if-name local-ip local-mask foreign-ip foreign-mask server-tag	Implements AAA accounting to include or exclude a specific service that is inbound or outbound in a specific interface for a specific source and destination address assigned to a specific AAA server group as assigned by the group tag.
aaa accounting match acl-name if-name server-tag	Matches the requirement for AAA accounting with a specific ACL.
show aaa accounting	Steps through individual recorded logs.
debug aaa accounting	Displays the accounting communication between the NAS and the AAA server.

The commands listed in Table 17-3 let you display protocol-specific communication between the NAS (PIX Firewall) and the AAA server.

Table 17-3. Commands to Display Communication Between the PIX Firewall and the AAA Server

Command	Description
debug tacacs	Debugs TACACS communications between the PIX Firewall and the AAA server.
debug radius	Debugs RADIUS communications between the PIX Firewall and the AAA server.