PIX AAA Authentication Flaw ?

jameswestley · ‎02-17-2006

We have just purchased two PIX 515E units and have an issue, we are using an AAA (RADIUS) server for authentication to authenticate (Via Active Directory) user before they connect to the Internet.

The problem we are experiencing is that the PIX unit seems, Once it has authenticated, it enters in the Authenticated users area (In the PDM) the IP of the machine he / she is on. The problem is that a user can disconnect from the Internet… reboot the machine then someone else logs onto the machine and he or she will not be prompted for authentication? (We feel this is a security flaw in the PIX?)

Is there any way that we can resolve this, or is this just the way the PIX is designed to do this? We feel if there is no solution to this problem that we will have top send back our units to the supplier and find a more suitable product.

mpalardy · ‎02-17-2006

Hi James,

The pix will authen client based on the incoming IP address. Initiate a "show uauth" command on the pix to verify this.

In your case I'd suggest to reduce the uauth timeout value on the PIX.

related topic

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1026093

HTH

Mike

jameswestley · ‎02-20-2006

Thanks for your email, Wew have set absulote to 15mins ( If we lowered it users would be prompting every * minutes whist using it) but as explained I could log of my system and someone else could log on with the 15 mins and still no authentication would be required ?

Is there any way we could authenticate via user rather then IP ?

mpalardy · ‎02-21-2006

The most simple way, is to use a proxy server that will authen client based on the rights defined in the user profile.

Otherwise you'll will have to go with PC-software client.