https://community.cisco.com/t5/network-security/pix-authenticaion-for-outbound-ssh-ftp/m-p/125079#M606369 <HTML><HEAD></HEAD><BODY><P>You can define what traffic should be authenticated through the PIX with the command you've shown, but users can only still authenticate using Telnet, FTP or HTTP traffic. There's nothing in the SSH protocol for example, that can have the PIX intercept it and display a username/password request to the user. </P><P></P><P>Have a read through <A class="jive-link-custom" href="http://www.cisco.com/warp/public/110/atp52.html" target="_blank">http://www.cisco.com/warp/public/110/atp52.html</A> and see how you get on. Pay particular attention to the debug/syslog messages, they'll help you out a lot.</P></BODY></HTML> Mon, 05 May 2003 04:04:17 GMT gfullage 2003-05-05T04:04:17Z https://community.cisco.com/t5/network-security/pix-authenticaion-for-outbound-ssh-ftp/m-p/125078#M606367 <P>I have a PIX firewall in which I wish to authenticate outbound connections for slected users of SSH &amp; FTP against an internal AAA server, using TACACS.</P><P></P><P>Is this functionality supported ?</P><P>I have created an access list to match the traffic SSH-Tracker .</P><P>I have related the access list to the authenticate, aaa authentication match SSH-Tracker inside tacserv.</P><P>I have glodal nats in place.</P><P></P><P>I suspect I am missing something of the functionality is not there yet ?</P><P></P><P>Any help appriciated.</P> Fri, 21 Feb 2020 06:43:22 GMT https://community.cisco.com/t5/network-security/pix-authenticaion-for-outbound-ssh-ftp/m-p/125078#M606367 dofaulkner 2020-02-21T06:43:22Z https://community.cisco.com/t5/network-security/pix-authenticaion-for-outbound-ssh-ftp/m-p/125079#M606369 <HTML><HEAD></HEAD><BODY><P>You can define what traffic should be authenticated through the PIX with the command you've shown, but users can only still authenticate using Telnet, FTP or HTTP traffic. There's nothing in the SSH protocol for example, that can have the PIX intercept it and display a username/password request to the user. </P><P></P><P>Have a read through <A class="jive-link-custom" href="http://www.cisco.com/warp/public/110/atp52.html" target="_blank">http://www.cisco.com/warp/public/110/atp52.html</A> and see how you get on. Pay particular attention to the debug/syslog messages, they'll help you out a lot.</P></BODY></HTML> Mon, 05 May 2003 04:04:17 GMT https://community.cisco.com/t5/network-security/pix-authenticaion-for-outbound-ssh-ftp/m-p/125079#M606369 gfullage 2003-05-05T04:04:17Z https://community.cisco.com/t5/network-security/pix-authenticaion-for-outbound-ssh-ftp/m-p/125080#M606370 <HTML><HEAD></HEAD><BODY><P>Hi Doug,</P><P>ftp can be authenticated, but ssh not. But you can do it another way. Authenticate the traffic via ftp, http or telnet (https in V6.3 is supported to) and authorize ssh against you tacacs server. Authorization only takes place, when the user is authenticated first. So you can say who is allowed to ftp or ssh or whatever you want.</P><P>Hope this helps a bit</P><P>Norbert</P></BODY></HTML> Mon, 05 May 2003 13:44:53 GMT https://community.cisco.com/t5/network-security/pix-authenticaion-for-outbound-ssh-ftp/m-p/125080#M606370 nsteup 2003-05-05T13:44:53Z