PIX AAA HTTPS 6.3.3 SSL annoying popup

mdlv · ‎07-08-2004

Hello there,

I'm having this awkward problem with IOS 6.3.3 while using AAA authentication. Because the authentication sends an HTTP page asking for userid and password in SSL. I get a popup stating that my SSL certificate does not match the web site I'm trying to reach. For example I want to go to HTTPS://myfavorite.bank.com then the PIX sends me an authentication page. My IE6 browser intercept the SSL certificate and says that PIX.CISCO.COM is not the correct name because it expect myfavorite.bank.com SSL certificate instead.

I tried to find documentation on the Cisco site and I have not seen anything relating to that problem.

Does any one have any idea on how to circumvent this problem. This is realy annoying to the point that I might not be able to upgrade IOS on that firewall.

shannong · ‎07-08-2004

Are you trying to use the Pix to do authentication of users to surf the Internet?

This is a problem regardless of whether or not you upgrade. Prior to the upgrade, you don't have support for authentication of HTTPS or for secure-authentication of HTTP. So without the upgrade, your options are the same as 2,3, and 4 below.

You're options are:

1. To deal with the annoying popup,

2. Do not authenticate HTTPS traffic,

3. Authenticate using HTTP first so that you're already authenticated to the Pix and the SSL negotiation and form page aren't necessary.

4. Use an actual web filter product to authenticate and filter HTTP/HTTPS traffic.