How to authenticate webserver running inside the Firewall using CISCO ACS

anji.reddy · ‎08-07-2003

We are trying to configure ACS to authenticate a webserver running inside the Firewall. Users need to

access webserver using NT/2000 authentication from Internet.

osam · ‎08-07-2003

Well, you have two choices, either to look into the NT/2000 authentication from the server side. As far as I know they will not support TACACS authentication, can support Radius though, 2000 can work with LDAP, but not sure if you can use Cisco ACS for that.

The other option, since it is behind a FW, u use cut-through authentication in PIX, I assume it is a PIX FW, isn't it?

Issue the following commands in the PIX,

(Assume the web server inside local IP address is 192.168.1.10, and outside global IP is 200.200.200.10, ACS is 192.168.1.50)

static (inside, outside) 200.200.200.10 192.168.1.10

!The following line shall be configured by default, you can replace the "TACACS+" auth-group by any other group

aaa-server TACACS+ protocol tacacs+

! You start configuring here, "cisco" is your ACS key

aaa-server TACACS+ (inside) host 192.168.1.50 cisco

! This for the cut-though authentication

aaa authentication include http outside 200.200.200.10 255.255.255.255 0.0.0.0 0.0.0.0 TACACS+

aaa authorization include http outside 200.200.200.10 255.255.255.255 0.0.0.0 0.0.0.0 TACACS+

Please check also the following link for more info on that. I have just posted it awhile ago in another post in this forum... :)

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea9.shtml