12-07-2001 09:32 AM - edited 02-21-2020 09:58 AM
Greetings,
Issue: Users accessing http authenticating via ACS-NT 2.4 off of a PIX 520.
At times, all users are not presented with a challenge to authenticate until we reboot the PIX. ACS is functioning fine at these times. At other times, the user is challenged three times for authentication that continue to appear to fail but then has access once browser is closed and reopened. Any ideas? Are there rules governing AAA rules order in the PIX (i.e., include must come before exclude, etc.) Thanks
12-11-2001 03:46 PM
what version of the PIX software are you using? I have been running 5.26 with no problems.
Have you tried to convert your AAA rules with access-list
aaa authentication xxxxxx match 101 (brevity)
access-list 101 permit tcp any any eq http
Do you have the latest service packs on your Windows ACS for NT 2.4 (6.a)?
As far as the order of the rules, you should include everybody first and deny afterwards or vice-versa.
Here is my config.
pixfirewall# sh aaa-server
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AOB protocol tacacs+
aaa-server AOB (inside) host 10.1.1.200 secret timeout 30
aaa-server AIB protocol radius
aaa-server AIB (inside) host 10.1.1.200 secret timeout 30
pixfirewall# sh aaa
aaa authentication exclude http inside 10.1.1.205 255.255.255.255 0.0.0.0 0.0.0.
0 AOB
aaa authentication serial console AOB
aaa authentication telnet console AOB
aaa authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AOB
aaa authentication include ftp inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AOB
aaa authentication include telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AOB
pixfirewall#
PS: the exclude statements were added at the end but show up before in the config.
12-22-2001 04:28 PM
Hello:
I'm not using a Pix firewall, but I have encountered the same problem when using the CBAC auth-proxy feature for authentication and authorization.
The first time I installed the CiscoSecure ACS Server, my clients received a challenge just one time, and then no more challenges were received.
The auth-proxy feature sets a timeout of the connection which authenticate. Then, if you clear the cache (router# clear ip auth-proxy cache *), users start receiving a challenge from the browser.
Instead of rebooting the PIX, try to locate the respective cache for authentication and reduce the default timeout. In the case of CBAC, the auth-proxy default timeout is 120 minutes. I have reduce this timeout to 10 minutes.
The process is as follows:
1. A user start a new http session, a challenge is presented.
2. The user continue browsing as normal.
3. If a user stop browsing, the timeout start running for 10 minutes.
4. Then, when the user returns after 10 minutes, a challenge is presented and the process start again.
Luis Wilkes
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide