Re: Authentication problems with users on terminal server

jerryd · ‎07-16-2002

I have the following problem with the way the pix authentication works . It only maps a username to a ip address. The pix only authenticates machines and not users. This is a problem because if you have 50 users who use a terminal server like win2k or citrix you cant enable authentication because of the way the auth works. The very first person who connects to the internet from the terminal server will get prompted for authentication thereafter all other users on the terminal server are able to browse using this persons account and will never get prompted for authentication. I have opened a TAC case regarding this and there is no workaround that can be supplied by TAC. My cisco account manager has put this forward as a feature request but the time to get this resolved is unknown and we will be loosing customers if we cant find a workaround for this problem. Has anyone experienced the same problem and found a solution that can be used until cisco upgrade the authentication on the pix?

smahbub · ‎07-22-2002

The best solution would be to reorganize the way your accounting takes place. The PIX cannot be used for this, so utilize one generic account and have the authentication and accounting for this authentication occur prior to reaching the terminal server.

jerryd · ‎07-23-2002

I would agree but our clients outsourced the security to us and dont have the skills or dont want to do it this way. So Im going to have to wait for Cisco to fix the problem and possibly loose a few clients.

ali-franks · ‎07-24-2002

What about deploying an ACS server?

jerryd · ‎07-29-2002

I am currently using AAA with tacacs. This still wont solve the problem. There is a fundamental flaw in the authentication system on the pix which wont allow for multiple users being authenticated all coming from 1 ip address.