Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX + aaa authentication

Reply
Thread Tools

PIX + aaa authentication

 
 
mcaissie
Guest
Posts: n/a
 
      11-05-2004
Hi,

my needs are ;
give access to users on a web site based on their windows account.

I have it working in my test environment with

aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host [IAS ip] [key] timeout 5
aaa authentication include http inside [client ip] 255.255.255.255 [web site
ip] 255.255.255.255 partnerauth

and it works like a charm . The browser pop-ups a login windows and they can
login using their windows account.

Unfortunately , it doesn't work when i put the same in the Prod environment
..

In the test , i have a PIX 515 , 6.3(3) with the client and radius on the
inside and the web site on the outside.

In the Prod environment , i have a PIX 520 , 6 interface s, and the client
+ radius are on a less secure
interface ( corpo) than the web site ( dmz) .

Using the same commands with the interface name doesn't work.

aaa-server partnerauth protocol radius
aaa-server partnerauth (corpo) host [IAS ip] [key] timeout 5
aaa authentication include http corpo [client ip] 255.255.255.255 [web site
ip] 255.255.255.255 partnerauth

I just access the web site without the login pop-up . (Browser cache have
been deleted).

If i put a packet capture on the corpo interface , for traffic between the
PIX and IAS , i get nothing .
The aaa authentication command simply doesn't trigger anything . I double
checked the addresses specified by the
include statement , everything is ok.

Is it possible that the aaa authentication command only works on the
inside interface ?
Any hints ?

thanks



 
Reply With Quote
 
 
 
 
mcaissie
Guest
Posts: n/a
 
      11-05-2004
> Is it possible that the aaa authentication command only works on the
> inside interface ?


Effectively , that's the case

"Use the if_name, local_ip, and foreign_ip variables to define where access
is sought and from whom. The address for local_ip is always on the highest
security level interface and foreign_ip is always on the lowest. "


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
aaa<br /> gets turned into aaa<BR> with innerHTML yawnmoth Javascript 4 04-22-2009 01:09 AM
pix aaa authentication feature lfnetworking Cisco 0 11-02-2006 01:22 AM
aaa authorization and aaa accounting with Cisco ACS and 1231 AP's Chris_D Cisco 4 08-01-2005 08:03 AM
the different between aaa m1[100] and aaa *p = new [100] C++ 5 03-15-2005 08:22 AM
PIX vs IOS AAA Authentication commands mikester Cisco 2 05-28-2004 08:52 PM



Advertisments