Re: PIX HTTP out- Local Authentication?

0r8it · ‎06-08-2006

Hi there,

message description says it all, really. Is there a way to prompt users who wish web access for a username and password from a local authentication database stored on the PIX? I am aware that this can be done using aaa to a RADIUS or TACACS+ box, but what about on the PIX itself? I ask as I'm being informed that its an easy thing to do on a Checkpoint firewall.

TIA-

Gary

a.kiprawih · ‎06-08-2006

Hi Gary,

When using PIX Firewall Version 6.3 or higher (not 6.2 or lower) , you can enable authentication for pass-through access using PIX local user database.

The configuration steps are similar to those for configuring a RADIUS/TACACS+ server.

You don't have to use normal aaa authentication parameter via ACS/Radius server, which normally looks like:

aaa-server AuthInbound protocol radius

aaa-server AuthInbound (inside) host 10.1.1.1 TheUauthKey

What you need is to create local user in PIX, then define aaa authentication parameter that refers to local database (use LOCAL keyword), and define the web (http) service as follow:

aaa authentication include 0 0 0 0 LOCAL

aaa authentication include http inside 0 0 0 0 LOCAL

Note:

1. Replace with service such as http, telnet or ftp.

2.Replace with the name of the interface on which you are enabling authentication, as configured with the nameif command.

Ref:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278e.html#wp1016090

AAA Command:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1111727

Rgds,

AK

0r8it · ‎06-08-2006

Thanks AK, I'll try this out.

regards,

Gary