topic Re: aaa auth include tcp/10000 login issue in Network Access Control

aaa auth include tcp/10000 login issue

smartnet — Fri, 21 Feb 2020 18:03:19 GMT

I'm trying to use the command

"aaa authentication include tcp/10000 10.6.1.3 255.255.255.255 0.0.0.0

0.0.0.0 AuthInbound"

The application behind this is browser based, so I'm trying to hit port 10000 with IE6, and not getting anything other than the message

"Authorization is required" page=

Port 80 works fine- I do get the expected dialog for username/password if I hit port 80 (which is the regular website for this server) Port tcp/10000 does not make my browser pop up the dialog though...

what do I do to make the usual login dialog window appear on this aaa command?

This is critical for using any website on non-standard ports (which many administrative applications do)

thanks, Tim

Re: aaa auth include tcp/10000 login issue

gfullage — Mon, 02 Sep 2002 03:48:55 GMT

I'm surprised the PIX even allows you to put tcp/10000 in as the service type in that command. All it's really going to accept/interpret in this command is the keywords telnet, http, any or ftp.

What I would suggest is putting in "http" instead of "tcp/10000" cause that's definately not going to work. Then you have to tell the PIX that TCP port 10000 packets are HTTP, so use the command:

> fixup protocol http 10000

and see how that goes.

Re: aaa auth include tcp/10000 login issue

smartnet — Tue, 03 Sep 2002 12:51:05 GMT

The idea I had was from this TAC case online:

http://www.cisco.com/warp/public/110/pix51.shtml#add_auth

the following line:

aaa authentication include tcp/49 inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Incoming

Not directly related, but hoped it would work...

I do happen to have

fixup protocol http 10000

in the PIX-

what I don't have is the http version of auth-

The problem is that there are virtual servers on that box-

I want to allow unrestricted access to port 80 with _no_ auth -

but I do want to require auth on http sessions to port 10000

Also, the PIX supports many other webservers on other IP addresses-

so I'm restricted as to how I can do the global level commands-

I don't fully understand the ramifications of 'no fixup protocol http 80'

which I guess would return port 80 connections to their normal

non-filtered state.... but it would do it for all webservers

on the entire PIX, not just that one server.

ideas?

tim

Re: aaa auth include tcp/10000 login issue

smartnet — Tue, 03 Sep 2002 14:25:46 GMT

Further thoughts- I tried using the 'fixup protocol http 10000'

with an aaa statement for http on the PIX-

What happened was that I got auth requirements on port 80, but not on port 10000 ... the PIX somehow assumed that since I'd said http, I must be talking about port 80... I removed the fixup for protocol http 80

and nothing changed (yes, I was doing write mem, before testing..)