local authentication through the pix

rajbhatt · ‎10-03-2006

i want my local lan users to be authenticated through the pix before accessing any web/outbound servcies

I do not want to use any external authentication servers

is that possible

mmorris11 · ‎10-03-2006

It is possible. This guide will get you started:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea9.shtml#virtual_http

HTH pls rate!

rajbhatt · ‎10-03-2006

Hello,

Thanks for replying

What you say is virtual telnet and virtual http:

I will try these commands:

aaa-server LOCAL protocol LOCAL

access-list 101 permit tcp any any eq telnet

access-list 101 permit tcp any any eq ftp

access-list 101 permit tcp any any eq www

aaa authentication match 101 outside LOCAL

virtual telnet freepublicip

virtual http freeprivateip

username xxx password yyy privilege 15

username xx1 password yyy privilege 15

So these lan tarffic will get local

authentication prompt when they try to use any of these services outbound

Incoming server or vpn traffic should not be affected by this config .

I would have about 70 users accessing internet,telnet etc

also would add a filtering server for content filtering

will that affect the pix performance if I do this local authentication for these many users

Anything else that I may need

Raj

pengfang · ‎10-04-2006

This also called cut-though proxy. telnet,ftp and www are inter-active protocol supportted by PIX,for other protocol you have to use virtual telnet.I thought followed configuration is good enough,also make sure the authentication is applied on inside interface for outbound traffic.