Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX as authentication for wireless network?

Reply
Thread Tools

PIX as authentication for wireless network?

 
 
imloggedin
Guest
Posts: n/a
 
      02-05-2005
we are a local ISP and right now are using a universal subscriber
gateway for authentication and well for pretty much everything. we
would like to get rid of it if we had a way to authenticate users. what
we need is a way to authenticate to a radius server, and anyone who has
acceptable authentication can go on to the internet, or anyone with a
specific mac address can goto the internet, but anyone whos not
authenticated or has a certain mac address is sent to a web server a
specific url. is this possible with the pix? if not, any suggestions on
a unit would be great.

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      02-06-2005
In article <(E-Mail Removed) .com>,
imloggedin <(E-Mail Removed)> wrote:
:we are a local ISP and right now are using a universal subscriber
:gateway for authentication and well for pretty much everything. we
:would like to get rid of it if we had a way to authenticate users. what
:we need is a way to authenticate to a radius server, and anyone who has
:acceptable authentication can go on to the internet, or anyone with a
:specific mac address can goto the internet, but anyone whos not
:authenticated or has a certain mac address is sent to a web server a
:specific url. is this possible with the pix? if not, any suggestions on
:a unit would be great.

PIX has the 'mac-list' command that is used with the 'aaa mac-exempt'
clause to exempt specific MACs from AAA authentication and AAA
authorization, but I'm not sure that you would be able to do anything
useful with it in your circumstances.

The mac-list command is documented as being relevant for VPN client
authentication in its overview; I do not see any particular reason
why it should not apply to "local" (non-VPN) clients, but that would
have to be tested.

The more immediate problem I see is that the PIX cannot terminate
anything other than ethernet (well, token ring hasn't been -completely-
eliminated... yet), so you would need to connect some kind of
user endpoint to the PIX. Unless that endpoint equipment is effectively
bridging, the normal effects of routing operations is going to wipe
out the user MAC and replace it with the router MAC.


I do not see any way on the PIX to redirect to a particular URL before
authentication or with authentication failure. Before authentication,
traffic for the protocols http, https, telnet, and ftp will prompt for
authentication, and other traffic for other protocols will be rejected
[I'm not sure if it does a RST, ICMP AdministrativelyProhibitted, or
simply drops the packets]. If the user wishes to use other protocols
before using one of the above four, you can configure the 'virtual
telnet' command to provide a login mechanism.

One thing I would note is that it is logically not possible to
redirect someone to a URL if they are are not using one of the
authenticatable protocols -- .e.g, if the first thing they try to
do after having lost authentication is send out email, then their
SMTP client isn't going to be able to understand any response coming
back from any kind of authenticator as meaning that the system
should start up a web browser and open the specific URL.


I do not have any experience to say how well the PIX works as an
authenticator in real life; I suspect it does not have quite
the flexibility you would hope for.

Note: there are open source virtual "hotspot" programs available
that support RADIUS and HTTP URL redirect. These would have to be
run on a computer. Some of them might be usable in parallel with
the PIX [e.g., websense works in parallel], but probably most
would expect to work in series.
--
Feep if you love VT-52's.
 
Reply With Quote
 
 
 
 
merv.hrabi@rogers.com
Guest
Posts: n/a
 
      02-06-2005

A typical network topology would be to have the wireless access point
outside your firewall. in order to use most of the authentication
protocols you owuld require a RADIUS server which would be located
inside the firewall.

The firewall would need to beconfigured to pass the AP-to-RADIUS
authentication traffic to the RADIUS server. Potentially the RADIUS
server could also have application code to send a URL back to the
wireless device that is trying to access the wireless AP.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM
Authentication for Cisco VPN client on PIX (RADIUS vs. local PIX database) tejlor Cisco 2 11-25-2003 08:07 AM
vpnclient access to remote pix via pix-pix tunnel Bill F Cisco 1 11-25-2003 06:03 AM
[pix] desperatly need help with PIX-to-PIX config Remco Bressers Cisco 1 11-21-2003 08:58 PM
PIX to PIX to PIX meshed VPN Richard Cisco 1 11-15-2003 07:41 AM



Advertisments