cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2169
Views
0
Helpful
2
Replies

ACS2.4-NT and PIX Authentication Problem

iholdings
Level 1
Level 1

Greetings,

Issue: Users accessing http authenticating via ACS-NT 2.4 off of a PIX 520.

At times, all users are not presented with a challenge to authenticate until we reboot the PIX. ACS is functioning fine at these times. At other times, the user is challenged three times for authentication that continue to appear to fail but then has access once browser is closed and reopened. Any ideas? Are there rules governing AAA rules order in the PIX (i.e., include must come before exclude, etc.) Thanks

2 Replies 2

pmoulay
Level 1
Level 1

what version of the PIX software are you using? I have been running 5.26 with no problems.

Have you tried to convert your AAA rules with access-list

aaa authentication xxxxxx match 101 (brevity)

access-list 101 permit tcp any any eq http

Do you have the latest service packs on your Windows ACS for NT 2.4 (6.a)?

As far as the order of the rules, you should include everybody first and deny afterwards or vice-versa.

Here is my config.

pixfirewall# sh aaa-server

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server AOB protocol tacacs+

aaa-server AOB (inside) host 10.1.1.200 secret timeout 30

aaa-server AIB protocol radius

aaa-server AIB (inside) host 10.1.1.200 secret timeout 30

pixfirewall# sh aaa

aaa authentication exclude http inside 10.1.1.205 255.255.255.255 0.0.0.0 0.0.0.

0 AOB

aaa authentication serial console AOB

aaa authentication telnet console AOB

aaa authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AOB

aaa authentication include ftp inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AOB

aaa authentication include telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AOB

pixfirewall#

PS: the exclude statements were added at the end but show up before in the config.

j.mercado
Level 1
Level 1

Hello:

I'm not using a Pix firewall, but I have encountered the same problem when using the CBAC auth-proxy feature for authentication and authorization.

The first time I installed the CiscoSecure ACS Server, my clients received a challenge just one time, and then no more challenges were received.

The auth-proxy feature sets a timeout of the connection which authenticate. Then, if you clear the cache (router# clear ip auth-proxy cache *), users start receiving a challenge from the browser.

Instead of rebooting the PIX, try to locate the respective cache for authentication and reduce the default timeout. In the case of CBAC, the auth-proxy default timeout is 120 minutes. I have reduce this timeout to 10 minutes.

The process is as follows:

1. A user start a new http session, a challenge is presented.

2. The user continue browsing as normal.

3. If a user stop browsing, the timeout start running for 10 minutes.

4. Then, when the user returns after 10 minutes, a challenge is presented and the process start again.

Luis Wilkes

lm_wilkes@hotmail.com

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: