RE: [fw-wiz] Pix Authentication doubts

From: Strydom, Willie (WStrydom_at_fnb.co.za)
Date: 02/02/04

  • Next message: Crissup, John (MBNP is): "[fw-wiz] Pix - portmap translation creation failed"
    To: "'j.vargas@marieclaire.es'" <j.vargas@marieclaire.es>, firewall-wizards@honor.icsalabs.com
    Date: Mon, 2 Feb 2004 08:08:33 +0200
    
    

    I would have an acl, then you can include/exclude sites..

    aaa-server AuthInbound protocol radius
    aaa-server AuthInbound (dmz) host IP_IAS_SERVER shared_secret

    aaa authentication match acl-http inside AuthInbound
    aaa authentication match acl-http outside AuthInbound

    access-list acl-http deny tcp host your_boss_ip_address host
    yoursite_IP_address eq www
    access-list acl-http permit tcp any host yoursite_IP_address eq www

    you can also add this for good measure....

    aaa-server AuthToPIX protocol radius
    aaa-server AuthToPIX (dmz) host IP_IAS_SERVER shared_secret

    aaa authentication telnet console AuthToPIX
    aaa authentication ssh console AuthToPIX
    aaa authentication serial console AuthToPIX

    -----Original Message-----
    From: Jaime Vargas [mailto:j.vargas@marieclaire.es]
    Sent: 28 January 2004 05:41
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] Pix Authentication doubts

    Hi, first-time poster...

    I have a problem with a Cisco PIX 515E version 6.3. In the documentation it
    explains rather well how to set up authentication via RADIUS for "any
    server", but what I want to do is to authenticate only users which try to
    connect to http to a particular server which is in my inside network.

    Let's assume that the IP address of my IAS server is IP_IAS_SERVER, which is
    on the DMZ, that the IP address of the web server is IP_WEB_SERVER and that
    it is visible on the outside interface via NAT with an address of
    IP_WEB_NAT.

    I think I know that first you have to define the RADIUS server with:

    aaa-server AuthInbound protocol radius
    aaa-server AuthInbound (dmz) host IP_IAS_SERVER shared_secret

    But how excatly should I set up authentication for the server? Should it be

    aaa authentication include http outside IP_WEB_NAT 255.255.255.255 0 0
    AuthInbound,
    aaa authentication include http inside IP_WEB_SERVER 255.255.255.255 0 0
    AuthInbound,

    or none of the above?

    Greetings, Jaime

    PD: I'm on digest, so I'd be grateful if you could CC the possible answer to
    my e-mail address as well as to the list. Thanks :)

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    ___________________________________________________________________________________________________

    The views expressed in this email are, unless otherwise stated, those of the author and not those
    of the FirstRand Banking Group or its management. The information in this e-mail is confidential
    and is intended solely for the addressee. Access to this e-mail by anyone else is unauthorised.
    If you are not the intended recipient, any disclosure, copying, distribution or any action taken or
    omitted in reliance on this, is prohibited and may be unlawful.
    Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data
    transmitted electronically and to preserve the confidentiality thereof, no liability or
    responsibility whatsoever is accepted if information or data is, for whatever reason, corrupted
    or does not reach its intended destination.

                                   ________________________________
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Crissup, John (MBNP is): "[fw-wiz] Pix - portmap translation creation failed"

    Relevant Pages

    • understanding chkrootkit: sshd section
      ... Rhosts Authentication disabled, originating port will not be trusted. ... Secure connection to %.100s on port %hu refused%.100s. ... Warning: Remote host refused compression. ... Received RSA challenge from server. ...
      (comp.os.linux.security)
    • understanding chkrootkit: sshd section
      ... Rhosts Authentication disabled, originating port will not be trusted. ... Secure connection to %.100s on port %hu refused%.100s. ... Warning: Remote host refused compression. ... Received RSA challenge from server. ...
      (comp.security.unix)
    • Re: understanding chkrootkit: sshd section
      ... Connection will not be encrypted. ... > Rhosts Authentication disabled, originating port will not be trusted. ... > Could not request local forwarding. ... Remote host failed or refused to allocate a pseudo tty. ...
      (comp.os.linux.security)
    • Re: understanding chkrootkit: sshd section
      ... Connection will not be encrypted. ... > Rhosts Authentication disabled, originating port will not be trusted. ... > Could not request local forwarding. ... Remote host failed or refused to allocate a pseudo tty. ...
      (comp.security.unix)
    • Re: IE6 to IIS6 form post authentication problem
      ... Older IE5 browser also did not have the POST ... optimization described in the KB and thus do not see it, ... received by the server" and "I am using some custom form of authentication ... We found out that if we change the host header to a new host, ...
      (microsoft.public.inetserver.iis.security)