PIX + aaa authentication

Discussion in 'Cisco' started by mcaissie, Nov 5, 2004.

  1. mcaissie

    mcaissie Guest

    Hi,

    my needs are ;
    give access to users on a web site based on their windows account.

    I have it working in my test environment with

    aaa-server partnerauth protocol radius
    aaa-server partnerauth (inside) host [IAS ip] [key] timeout 5
    aaa authentication include http inside [client ip] 255.255.255.255 [web site
    ip] 255.255.255.255 partnerauth

    and it works like a charm . The browser pop-ups a login windows and they can
    login using their windows account.

    Unfortunately , it doesn't work when i put the same in the Prod environment
    ..

    In the test , i have a PIX 515 , 6.3(3) with the client and radius on the
    inside and the web site on the outside.

    In the Prod environment , i have a PIX 520 , 6 interface s, and the client
    + radius are on a less secure
    interface ( corpo) than the web site ( dmz) .

    Using the same commands with the interface name doesn't work.

    aaa-server partnerauth protocol radius
    aaa-server partnerauth (corpo) host [IAS ip] [key] timeout 5
    aaa authentication include http corpo [client ip] 255.255.255.255 [web site
    ip] 255.255.255.255 partnerauth

    I just access the web site without the login pop-up . (Browser cache have
    been deleted).

    If i put a packet capture on the corpo interface , for traffic between the
    PIX and IAS , i get nothing .
    The aaa authentication command simply doesn't trigger anything . I double
    checked the addresses specified by the
    include statement , everything is ok.

    Is it possible that the aaa authentication command only works on the
    inside interface ?
    Any hints ?

    thanks
    mcaissie, Nov 5, 2004
    #1
    1. Advertising

  2. mcaissie

    mcaissie Guest

    I got my answer

    > Is it possible that the aaa authentication command only works on the
    > inside interface ?


    Effectively , that's the case

    "Use the if_name, local_ip, and foreign_ip variables to define where access
    is sought and from whom. The address for local_ip is always on the highest
    security level interface and foreign_ip is always on the lowest. "
    mcaissie, Nov 5, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mikester

    FWSM, SSH and AAA authentication

    mikester, Dec 5, 2003, in forum: Cisco
    Replies:
    4
    Views:
    8,196
    shadow54682
    Jun 8, 2009
  2. sharqi

    aaa authentication via http

    sharqi, Dec 15, 2003, in forum: Cisco
    Replies:
    0
    Views:
    616
    sharqi
    Dec 15, 2003
  3. mikester
    Replies:
    2
    Views:
    3,644
    mikester
    May 28, 2004
  4. Chris_D
    Replies:
    4
    Views:
    3,413
    Chris_D
    Aug 1, 2005
  5. lfnetworking

    pix aaa authentication feature

    lfnetworking, Nov 2, 2006, in forum: Cisco
    Replies:
    0
    Views:
    350
    lfnetworking
    Nov 2, 2006
Loading...

Share This Page