Pix : HTTP authentication on a non-80 tcp port

phima · ‎12-18-2001

Hi all,

I'm trying to find a way to make my PIX perform an HTTP authentication on the port 8080.

I thought that addind a fixup protocol entry for HTTP (fixup protocol http 8080) and an item in my authentication access-list would be sufficient, but I still get a message "Error : You must first authenticate to use this service" instead of a popup logon window.

Everything works fine on the port 80, but I must authenticate on another port to get rid of transparent proxies used by some ISPs (authenticated IP is then the one of the proxy).

Can anyone help ?

Thanks.

Phil.

a-vazquez · ‎12-26-2001

The PIX can only authenticate on TCP, Telnet or FTP standard ports. You will have to authenticate your users to a real port 80 web server that redirects them to port 8080 or something similar.

phima · ‎12-31-2001

In fact, that's what I do, but there are some problems due to transparent proxies used by some ISPs for the port 80... This makes some users authenticate with an IP address on the port 80, and then use another one on the port 8080 (and then, they're not authenticated anymore)...

I'll have to find another solution.

Thanks for your help.

Phil.

mmedwid · ‎03-04-2002

We authenticate http conversations using the pix at many ports other than port 80. Nothing was changed on the fixup protocol end of things.

aaa authentication include http inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+

aaa authorization include tcp/81 inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+