AAA and PIX 515e

r.lent · ‎11-04-2002

Hi,

I have downloaded a trial of CiscoSecure ACS 3.0 to use with my PIX 515e with a view to purchase. I like this a lot and will definately be buying but before I do I have a small problem.

I have setup up the Firewall to request access from the users to get to the Internet. This works great but if the user then goes to a secure web site which requests username and logon details, there seems to be a conflict between the PIX AAA and the Web Sites credentials. I think I have read about this somewhere but can not remember where.

There was some mention about a virtual http server I think but can not remember the details. Does anyone know of this problem and a way round it??

Thanks,

Robin.

4brown · ‎11-04-2002

Check out:

http//www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/tz.htm#xtocid8

The virtual http command solves the problem of browser caching the authentication by first creating a http redirect from the initial ip address of the server (the pix still impersonates the server) to the address set within the virtual http command. When the browser is redirected to this address the pix will then prompt for the username and password. After authentication is successful, the browser is then redirected back to the original address. This way the browser will not associate the username and password used for the pix (and therefore ACS) with the username and password used by the server.

r.lent · ‎11-05-2002

Thanks for the info. I tried the link above but all I get is the msn search page!! Could you confirm the link for me!

Thanks

Robin

4brown · ‎11-05-2002

Woops, something happened to the colon when I pasted it:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/tz.htm#xtocid8

Nairi Adamian · ‎11-05-2002

There is a sample configuration for this at the following link:

http://www.cisco.com/warp/public/110/atp52.html#virtual_http

hope this helps,

-Nairi