PIX as authentication for wireless network?

Discussion in 'Cisco' started by imloggedin, Feb 5, 2005.

  1. imloggedin

    imloggedin Guest

    we are a local ISP and right now are using a universal subscriber
    gateway for authentication and well for pretty much everything. we
    would like to get rid of it if we had a way to authenticate users. what
    we need is a way to authenticate to a radius server, and anyone who has
    acceptable authentication can go on to the internet, or anyone with a
    specific mac address can goto the internet, but anyone whos not
    authenticated or has a certain mac address is sent to a web server a
    specific url. is this possible with the pix? if not, any suggestions on
    a unit would be great.
    imloggedin, Feb 5, 2005
    #1
    1. Advertising

  2. In article <>,
    imloggedin <> wrote:
    :we are a local ISP and right now are using a universal subscriber
    :gateway for authentication and well for pretty much everything. we
    :would like to get rid of it if we had a way to authenticate users. what
    :we need is a way to authenticate to a radius server, and anyone who has
    :acceptable authentication can go on to the internet, or anyone with a
    :specific mac address can goto the internet, but anyone whos not
    :authenticated or has a certain mac address is sent to a web server a
    :specific url. is this possible with the pix? if not, any suggestions on
    :a unit would be great.

    PIX has the 'mac-list' command that is used with the 'aaa mac-exempt'
    clause to exempt specific MACs from AAA authentication and AAA
    authorization, but I'm not sure that you would be able to do anything
    useful with it in your circumstances.

    The mac-list command is documented as being relevant for VPN client
    authentication in its overview; I do not see any particular reason
    why it should not apply to "local" (non-VPN) clients, but that would
    have to be tested.

    The more immediate problem I see is that the PIX cannot terminate
    anything other than ethernet (well, token ring hasn't been -completely-
    eliminated... yet), so you would need to connect some kind of
    user endpoint to the PIX. Unless that endpoint equipment is effectively
    bridging, the normal effects of routing operations is going to wipe
    out the user MAC and replace it with the router MAC.


    I do not see any way on the PIX to redirect to a particular URL before
    authentication or with authentication failure. Before authentication,
    traffic for the protocols http, https, telnet, and ftp will prompt for
    authentication, and other traffic for other protocols will be rejected
    [I'm not sure if it does a RST, ICMP AdministrativelyProhibitted, or
    simply drops the packets]. If the user wishes to use other protocols
    before using one of the above four, you can configure the 'virtual
    telnet' command to provide a login mechanism.

    One thing I would note is that it is logically not possible to
    redirect someone to a URL if they are are not using one of the
    authenticatable protocols -- .e.g, if the first thing they try to
    do after having lost authentication is send out email, then their
    SMTP client isn't going to be able to understand any response coming
    back from any kind of authenticator as meaning that the system
    should start up a web browser and open the specific URL.


    I do not have any experience to say how well the PIX works as an
    authenticator in real life; I suspect it does not have quite
    the flexibility you would hope for.

    Note: there are open source virtual "hotspot" programs available
    that support RADIUS and HTTP URL redirect. These would have to be
    run on a computer. Some of them might be usable in parallel with
    the PIX [e.g., websense works in parallel], but probably most
    would expect to work in series.
    --
    Feep if you love VT-52's.
    Walter Roberson, Feb 6, 2005
    #2
    1. Advertising

  3. imloggedin

    Guest

    A typical network topology would be to have the wireless access point
    outside your firewall. in order to use most of the authentication
    protocols you owuld require a RADIUS server which would be located
    inside the firewall.

    The firewall would need to beconfigured to pass the AP-to-RADIUS
    authentication traffic to the RADIUS server. Potentially the RADIUS
    server could also have application code to send a URL back to the
    wireless device that is trying to access the wireless AP.
    , Feb 6, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tejlor
    Replies:
    2
    Views:
    2,277
    tejlor
    Nov 25, 2003
  2. Rafael
    Replies:
    1
    Views:
    3,190
  3. Johnny
    Replies:
    11
    Views:
    3,075
    Cerebrus
    Aug 4, 2006
  4. zillah
    Replies:
    0
    Views:
    714
    zillah
    Nov 9, 2006
  5. Giuen
    Replies:
    0
    Views:
    865
    Giuen
    Sep 12, 2008
Loading...

Share This Page