HTTPS RADIUS Authentication with PIX requires CA? Trying to avoid Certificate warnings

Discussion in 'Cisco' started by Shawn Westerhoff, Oct 14, 2003.

  1. We have PIX 6.3x and want to use RADIUS to protect IIS Servers from
    attack.
    We do not want the untrusted certificate warning the PIX is
    generating.

    We want our users to connect to https://server.domain.com and get a
    RADIUS prompt that we authenticate via Windows AD server (IAS). This
    works fine for HTTP. When we use it for HTTPS: we are warned about an
    untrusted certificate (the PIX). This is because the prompt window is
    trying to use SSL and the PIX does not have a trusted certificate from
    a CA like Verisign.

    The web site we are trying to reach has an HTTPS certificate and if we
    do not use RADIUS, all is fine.

    My questions:

    1. Can we install a certificate on the PIX? All we see are references
    to INTERNAL CA servers. We would need the CA server to be one of the
    trsted root servers. Would this avoid our message?

    2. Can we allow the PIX to use HTTP for the username/password exchange
    and then send the users to the HTTPS site on 443?

    The goal is to protect IIS with RADIUS and avoid the troubling warning
    on the PIX RADIUS window.

    Aditional facts:

    -ONLY port 443 is open on the IIS server.
    -IIS 5
    -PIX 515 version 6.3
    -RADIUS is with Windows IAS (Win 2k AD)

    Thanks in advance,

    Shawn

    Shawn Westerhoff, Oct 14, 2003
    #1
    1. Advertising

  2. I am still looking for an answer on this. I can even have the RADIUS
    authentication happen over HTTP as long as that can open 443 up on my
    IIS machine. Anyone use the PIX as a RADIUS to an HTTPS: site? I can
    not be the first!

    (Shawn Westerhoff) wrote in message news:<>...
    > We have PIX 6.3x and want to use RADIUS to protect IIS Servers from
    > attack.
    > We do not want the untrusted certificate warning the PIX is
    > generating.
    >
    > We want our users to connect to https://server.domain.com and get a
    > RADIUS prompt that we authenticate via Windows AD server (IAS). This
    > works fine for HTTP. When we use it for HTTPS: we are warned about an
    > untrusted certificate (the PIX). This is because the prompt window is
    > trying to use SSL and the PIX does not have a trusted certificate from
    > a CA like Verisign.
    >
    > The web site we are trying to reach has an HTTPS certificate and if we
    > do not use RADIUS, all is fine.
    >
    > My questions:
    >
    > 1. Can we install a certificate on the PIX? All we see are references
    > to INTERNAL CA servers. We would need the CA server to be one of the
    > trsted root servers. Would this avoid our message?
    >
    > 2. Can we allow the PIX to use HTTP for the username/password exchange
    > and then send the users to the HTTPS site on 443?
    >
    > The goal is to protect IIS with RADIUS and avoid the troubling warning
    > on the PIX RADIUS window.
    >
    > Aditional facts:
    >
    > -ONLY port 443 is open on the IIS server.
    > -IIS 5
    > -PIX 515 version 6.3
    > -RADIUS is with Windows IAS (Win 2k AD)
    >
    > Thanks in advance,
    >
    > Shawn
    >
    >
    Shawn Westerhoff, Oct 20, 2003
    #2
    1. Advertising

  3. If you want to authenticate IIS users via Radius, please check out
    RadIIS which is made by TCP Data: www.tcpdata.com

    RadIIS will authenticate users either with or without SSL. Using
    HTTPS, with a propertly installed cert AND using RadIIS to
    authenticate from Radius gives a strong, overall secure method to
    enforce IIS server security.\

    Ed Eckenstein
    TCP Data



    (Shawn Westerhoff) wrote in message news:<>...
    > We have PIX 6.3x and want to use RADIUS to protect IIS Servers from
    > attack.
    > We do not want the untrusted certificate warning the PIX is
    > generating.
    >
    > We want our users to connect to https://server.domain.com and get a
    > RADIUS prompt that we authenticate via Windows AD server (IAS). This
    > works fine for HTTP. When we use it for HTTPS: we are warned about an
    > untrusted certificate (the PIX). This is because the prompt window is
    > trying to use SSL and the PIX does not have a trusted certificate from
    > a CA like Verisign.
    >
    > The web site we are trying to reach has an HTTPS certificate and if we
    > do not use RADIUS, all is fine.
    >
    > My questions:
    >
    > 1. Can we install a certificate on the PIX? All we see are references
    > to INTERNAL CA servers. We would need the CA server to be one of the
    > trsted root servers. Would this avoid our message?
    >
    > 2. Can we allow the PIX to use HTTP for the username/password exchange
    > and then send the users to the HTTPS site on 443?
    >
    > The goal is to protect IIS with RADIUS and avoid the troubling warning
    > on the PIX RADIUS window.
    >
    > Aditional facts:
    >
    > -ONLY port 443 is open on the IIS server.
    > -IIS 5
    > -PIX 515 version 6.3
    > -RADIUS is with Windows IAS (Win 2k AD)
    >
    > Thanks in advance,
    >
    > Shawn
    >
    >
    Edward Eckenstein, Oct 28, 2003
    #3
  4. HELP! HTTPS RADIUS Authentication with PIX requires CA? Trying to avoid Certificate warnings

    Still looking for resolution on this.

    Anyone from Cisco???

    HELP!


    (Shawn Westerhoff) wrote in message news:<>...
    > We have PIX 6.3x and want to use RADIUS to protect IIS Servers from
    > attack.
    > We do not want the untrusted certificate warning the PIX is
    > generating.
    >
    > We want our users to connect to https://server.domain.com and get a
    > RADIUS prompt that we authenticate via Windows AD server (IAS). This
    > works fine for HTTP. When we use it for HTTPS: we are warned about an
    > untrusted certificate (the PIX). This is because the prompt window is
    > trying to use SSL and the PIX does not have a trusted certificate from
    > a CA like Verisign.
    >
    > The web site we are trying to reach has an HTTPS certificate and if we
    > do not use RADIUS, all is fine.
    >
    > My questions:
    >
    > 1. Can we install a certificate on the PIX? All we see are references
    > to INTERNAL CA servers. We would need the CA server to be one of the
    > trsted root servers. Would this avoid our message?
    >
    > 2. Can we allow the PIX to use HTTP for the username/password exchange
    > and then send the users to the HTTPS site on 443?
    >
    > The goal is to protect IIS with RADIUS and avoid the troubling warning
    > on the PIX RADIUS window.
    >
    > Aditional facts:
    >
    > -ONLY port 443 is open on the IIS server.
    > -IIS 5
    > -PIX 515 version 6.3
    > -RADIUS is with Windows IAS (Win 2k AD)
    >
    > Thanks in advance,
    >
    > Shawn
    >
    >
    Shawn Westerhoff, Oct 28, 2003
    #4
  5. Thanks Ed, but I need the authentication to be on the PIX. I can not
    have this service on another box.

    Appreciate the post, looking for PIX specific solution. Thanks.

    -Shawn

    (Edward Eckenstein) wrote in message news:<>...
    > If you want to authenticate IIS users via Radius, please check out
    > RadIIS which is made by TCP Data: www.tcpdata.com
    >
    > RadIIS will authenticate users either with or without SSL. Using
    > HTTPS, with a propertly installed cert AND using RadIIS to
    > authenticate from Radius gives a strong, overall secure method to
    > enforce IIS server security.\
    >
    > Ed Eckenstein
    > TCP Data
    >
    >
    >
    > (Shawn Westerhoff) wrote in message news:<>...
    > > We have PIX 6.3x and want to use RADIUS to protect IIS Servers from
    > > attack.
    > > We do not want the untrusted certificate warning the PIX is
    > > generating.
    > >
    > > We want our users to connect to https://server.domain.com and get a
    > > RADIUS prompt that we authenticate via Windows AD server (IAS). This
    > > works fine for HTTP. When we use it for HTTPS: we are warned about an
    > > untrusted certificate (the PIX). This is because the prompt window is
    > > trying to use SSL and the PIX does not have a trusted certificate from
    > > a CA like Verisign.
    > >
    > > The web site we are trying to reach has an HTTPS certificate and if we
    > > do not use RADIUS, all is fine.
    > >
    > > My questions:
    > >
    > > 1. Can we install a certificate on the PIX? All we see are references
    > > to INTERNAL CA servers. We would need the CA server to be one of the
    > > trsted root servers. Would this avoid our message?
    > >
    > > 2. Can we allow the PIX to use HTTP for the username/password exchange
    > > and then send the users to the HTTPS site on 443?
    > >
    > > The goal is to protect IIS with RADIUS and avoid the troubling warning
    > > on the PIX RADIUS window.
    > >
    > > Aditional facts:
    > >
    > > -ONLY port 443 is open on the IIS server.
    > > -IIS 5
    > > -PIX 515 version 6.3
    > > -RADIUS is with Windows IAS (Win 2k AD)
    > >
    > > Thanks in advance,
    > >
    > > Shawn
    > >
    > >
    Shawn Westerhoff, Oct 29, 2003
    #5
  6. Shawn Westerhoff

    Kevin Su Guest

    Re: HELP! HTTPS RADIUS Authentication with PIX requires CA? Trying to avoid Certificate warnings

    I think you are running into CSCdw95531. The bug is related to MS CA
    server. The workaround is to use Netscape browser instead.

    (Shawn Westerhoff) wrote in message news:<>...
    > Still looking for resolution on this.
    >
    > Anyone from Cisco???
    >
    > HELP!
    >
    >
    > (Shawn Westerhoff) wrote in message news:<>...
    > > We have PIX 6.3x and want to use RADIUS to protect IIS Servers from
    > > attack.
    > > We do not want the untrusted certificate warning the PIX is
    > > generating.
    > >
    > > We want our users to connect to https://server.domain.com and get a
    > > RADIUS prompt that we authenticate via Windows AD server (IAS). This
    > > works fine for HTTP. When we use it for HTTPS: we are warned about an
    > > untrusted certificate (the PIX). This is because the prompt window is
    > > trying to use SSL and the PIX does not have a trusted certificate from
    > > a CA like Verisign.
    > >
    > > The web site we are trying to reach has an HTTPS certificate and if we
    > > do not use RADIUS, all is fine.
    > >
    > > My questions:
    > >
    > > 1. Can we install a certificate on the PIX? All we see are references
    > > to INTERNAL CA servers. We would need the CA server to be one of the
    > > trsted root servers. Would this avoid our message?
    > >
    > > 2. Can we allow the PIX to use HTTP for the username/password exchange
    > > and then send the users to the HTTPS site on 443?
    > >
    > > The goal is to protect IIS with RADIUS and avoid the troubling warning
    > > on the PIX RADIUS window.
    > >
    > > Aditional facts:
    > >
    > > -ONLY port 443 is open on the IIS server.
    > > -IIS 5
    > > -PIX 515 version 6.3
    > > -RADIUS is with Windows IAS (Win 2k AD)
    > >
    > > Thanks in advance,
    > >
    > > Shawn
    > >
    > >
    Kevin Su, Oct 29, 2003
    #6
  7. Re: HELP! HTTPS RADIUS Authentication with PIX requires CA? Trying to avoid Certificate warnings

    In article <>,
    Kevin Su <> wrote:
    :I think you are running into CSCdw95531. The bug is related to MS CA
    :server. The workaround is to use Netscape browser instead.

    The Software Bug Toolkit says that CSCdw95531 cannot be displayed ?
    --
    "WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
    WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
    Walter Roberson, Oct 29, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. S. Schmid
    Replies:
    1
    Views:
    1,036
    troy lebouef
    Nov 27, 2003
  2. tejlor
    Replies:
    2
    Views:
    2,257
    tejlor
    Nov 25, 2003
  3. =?Utf-8?B?ZHl2aW01Nw==?=
    Replies:
    9
    Views:
    5,498
    Lasher a.k.a. Taylor
    Dec 20, 2005
  4. Jason
    Replies:
    2
    Views:
    775
    Jason
    Oct 25, 2006
  5. Guest
    Replies:
    30
    Views:
    829
    Damian
    May 24, 2006
Loading...

Share This Page