ftp error using pix firewall with acs-server

mueti · ‎07-14-2004

to use internet, we have to authenticate at pix, version 6.2.3, over acs-server. now, if we try to connect any ftp-server we get reply from the server with the authenticated user-id (from acs-server). we can logged in as anonymous and email-address for password but then connection hanged on. if we use global configuration with "no aaa authentication ...." for the internal ip address i don´t have to authenticate and the ftp-connection started as well! what´s going wrong?

thanks a lot for your help

gfullage · ‎07-14-2004

I assume from this you're authenticating FTP traffic outbound through your PIX. When doing this, you will be returned a username/password prompt by the PIX, not by the remote FTP server. When you enter in the username, you have to enter it in as follows:

local-username@remote-username

and for the password enter:

local-password@remote-password

The PIX will forward the local username/password off to the ACS server for authentication, and if that passes, it forwards the remote username/password off to the remote FTP server and completes the connection.

Check out this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea9.shtml#usersees

mueti · ‎07-14-2004

First, thanks for the answer. But I think this isn´t the solution for our problem. We use authentication by using virtual telnet command. So we have to authenticate at first http connection (a windows-popup appears and we do authentication using external database (ADS) from ACS-Server). Timeout for uauth is 08:30:00 so we don´t have to authenticate for this time again. Now we can use all allowed connection, but not all ftp connection (a few ftp-server works well)! If we try to download files over internetbrowser (IE, Netscape) it hangs on! I try to do this using console I get the same problem. Please look at the attachements!