This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Has anybody be able to Authenticate a user onto a LAN segment.
We would like to be able to stop users gaining access to the network unless they log in.
I have looked at a variety of Cisco specific solutions. Lock + Key, does not scale (over 15,000 connections required). Cut Through/Authentication Proxy is not very customizable in terms of the HTTP authenitcation methods.
There has been some discussions about the SSG and SSD. This seems to be what large ISPs use for the DSL/Cable markets. Has anybody done this in the Enterpise on LAN only segments ?
Any thoughts or other solutions out there.
Not realy the answer I was looking for. I can cut and paste from a web page as well.
ACS is only part of the problem any AAA server will do the same thing. I need something that can control what a user can do on a network.
If you have taken a look at auth proxy and it did not scale to what you had in mind, the next solution I would recommend would be a PIX firewall running AAA. Having come from a Cisco shop, I have assisted with multiple implementations of what it sounds like you are shooting for. On the PIX you can set up authentication and authorization, so that each session through the PIX will require authentication, based on criteria that you set forth, i.e. only certain subnets have to authenticate, only certain protocols have to authenticate, etc.
Furthermore, I would suggest using tacacs+ for this - with the proper tacacs+ server, you can control exactly what protocols are allowed to pass through on a per-user/group basis. And per protocol you can control what destination ip address that user/group is able to access.
I highly recommend the CiscoSecure ACS server, its use of tacacs+ is fantastic, and it seamlessly integrates authentication with multiple external databases such as Windows 2000, NT 4.0, Novell NDS, and LDAP.
You can pipe a very large number of users through the PIX and have one ACS server controlling their access on a per-user basis, using the ACS server to group those users into logical groups for low administrative overhead.
However, keep this in mind - when running authentication on a PIX, the user MUST first initiate their session with one of these three protocols: telnet, http, or ftp. These are the only three protocols that will bring up an authentication window on the PIX. Once they start with one of those three and then provide their credentials, then the AAA server can designate what protocols they can use and what destinations they can get to.
I use acs 2.6 for VPN authentication, but I want to use to block certain web sites from internal users also. The main problem is that when it authenticates internal users, they have to re-log in every 3 minutes. Is there any way I can make the authentication last a lot longer. Thanks
I assume that when you say ACS is authenticating internal users that they are NOT going through the VPN, and that you are simply authenticating them at an access point, such as a firewall. The generic statement that I can make is that re-authentication is entirely a function of that access point device, whether it is a firewall, router, whatever. ACS itself does not initiate an authentication request; it simply responds to incoming authentication requests.
With this in mind, if you are authenticating these users through a PIX, adjust the uauth timeout value:
An example would be:
timeout uauth 0:30:00 absolute uauth 0:10:00 inactivity
This sets the absolute timeout to 30 minutes and the inactive timeout to 10, both applying specifically to authentication.
I need assistance in trying to control the number of http sessions for my internal clients.
Im using a CiscoIOS FW with the auth-proxy feature with CiscoSecure ACS 2.6. My router is configured to forward authentication and authorization to this server.
My problem start when trying to limit the number of http connections for my clients. Lets suppose that I have a remote office with two clients: userA and userB. Now, suppose that userA has http access and userB does not.
When userA request a URL, a challenge is presented and its Access is successfull, because userA has http priviledges. Now, userB tries the same, but when he challenges its password, the connection failed.
But, when userA shares its password with userB, both users get access to the Internet. Do you know where can I found a solution to this problem? The Max-sessions tab from ACS doesn't works well.
I'm looking to do something not totally dissimilar, but in my case I am concerned about controlling outgoing access (i.e. to the Internet) for network users. They will be going through a Pix, but the main difficulty is that I want their indiviual level of access to be controlled via from their Windows logon. I am therefore looking for some software to watch Windows NT Domain/Active Directory logons/logoffs and communicate the appropriate information to the firewall. Does anyone know of anything to do this?
I suppose you want to deny access to the LAN (through a ALN switch). This can be done using 802.1x.
This prevents users to get an IP address, or to use an static one until they successfully authenticate against an AAA server (ACS).
Today it is only supported by 295x, 4xxx and 6xxx switches. You can search for a document called "placing ACS on a Cisco Catalyst network". It describes how to do that.
I hope this is what you ar looking for.
We have choosen to use the SSG feature set on the 7400 series routers. This provides us with all the features/control and scalability that we need.
Thanks to all
can you please provide with info on SSG feature and on how they work is it a software where do I get this? what are the configs you have to put on the router
I also need to put security on my network.I think your idea will help