Here is the problem:

I have Citrix server inside and want to authenticate outside users for that service. A have ACE server installed inside speaking RADIUS. Since PIX can not autheticate traffic other than http, ftp and telnet, I need first to authenticate users on port 80 for example, and then this user can start ICA connection. So, the reasonable solution would be to add authentication entry for authentication of all traffic to Citrix server. Here is config:

inside address of Citrix: 192.168.1.1

outside address of Citrix: 99.99.99.1

! This is classic static

static (inside, outside) 99.99.99.1 192.168.1.1

! Two conduits, one for auth, second for real traffic

conduit permit tcp host 99.99.99.1 eq 80 any

conduit permit tcp host 99.99.99.1 eq 1494 any

! Defining RADIUS server

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.1.2 ***** timeout 5

! Defining traffic to authenticate

aaa authentication include tcp/0 outside 192.168.1.1 255.255.255.255 0.0.0.0 0.0.0.0 RADIUS

So, everything is OK, user is autheticated via HTTP, and he can start ICA client without problems.

BUT, if user is seeting behind PAT device (another PIX for example), and he do authentication, then another user CAN start ICA connection WITHOUT BEING AUTHENTICATED, which is not what I expect.

I have heard that PIX have problems with this and similiar issues, meaning that PIX is maintaing these kind of connections only with SA/DA, not with SA-SP/DA-DP. Can anyone confirm this, and can someone preferabaly from Cisco give some input how to deal with this kind of problems.

Thanks in advance

Sasa Vidanovic