Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ACS2.4-NT and PIX Authentication Problem


Issue: Users accessing http authenticating via ACS-NT 2.4 off of a PIX 520.

At times, all users are not presented with a challenge to authenticate until we reboot the PIX. ACS is functioning fine at these times. At other times, the user is challenged three times for authentication that continue to appear to fail but then has access once browser is closed and reopened. Any ideas? Are there rules governing AAA rules order in the PIX (i.e., include must come before exclude, etc.) Thanks


what version of the PIX software are you using? I have been running 5.26 with no problems.

Have you tried to convert your AAA rules with access-list

aaa authentication xxxxxx match 101 (brevity)

access-list 101 permit tcp any any eq http

Do you have the latest service packs on your Windows ACS for NT 2.4 (6.a)?

As far as the order of the rules, you should include everybody first and deny afterwards or vice-versa.

Here is my config.

pixfirewall# sh aaa-server

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server AOB protocol tacacs+

aaa-server AOB (inside) host secret timeout 30

aaa-server AIB protocol radius

aaa-server AIB (inside) host secret timeout 30

pixfirewall# sh aaa

aaa authentication exclude http inside 0.0.0.


aaa authentication serial console AOB

aaa authentication telnet console AOB

aaa authentication include http inside AOB

aaa authentication include ftp inside AOB

aaa authentication include telnet inside AOB


PS: the exclude statements were added at the end but show up before in the config.



I'm not using a Pix firewall, but I have encountered the same problem when using the CBAC auth-proxy feature for authentication and authorization.

The first time I installed the CiscoSecure ACS Server, my clients received a challenge just one time, and then no more challenges were received.

The auth-proxy feature sets a timeout of the connection which authenticate. Then, if you clear the cache (router# clear ip auth-proxy cache *), users start receiving a challenge from the browser.

Instead of rebooting the PIX, try to locate the respective cache for authentication and reduce the default timeout. In the case of CBAC, the auth-proxy default timeout is 120 minutes. I have reduce this timeout to 10 minutes.

The process is as follows:

1. A user start a new http session, a challenge is presented.

2. The user continue browsing as normal.

3. If a user stop browsing, the timeout start running for 10 minutes.

4. Then, when the user returns after 10 minutes, a challenge is presented and the process start again.

Luis Wilkes