12-15-2000 09:40 AM - edited 02-20-2020 09:46 PM
Current problem:
Incoming HTTP requests authenticated at a boundary PIX using RADIUS pass the authentication credentials on to an IIS web server running Outlook web access. The Radius authentication at the PIX uses a one time password,the IIS tries to look this up on the local NT domain & fails.
I'd like to stop the PIX passing the credentials to IIS. In fact I'd like the PIX to authenticate seperately from a different RADIUS server than the IIS. I think that Virtual HTTP will do this but can only find configuration examples for outbound use of this command.
Any help appreciated
Richard
12-26-2000 08:11 AM
First, let me try to explain what the purpose of Virtual HTTP is. The PIX is not passing these credentials to IIS. When a browser requests a web page from a secure site that requires authentication, the web server (IIS) prompts for username and password. The user enters this information on their browser and resends the request now WITH the credentials being passed on. When you place a PIX in the middle to proxy this request, The PIX requests the credentials, checks them against the radius server and opens the conduit when allowed. The browser thinks this is the IIS server and so it sends back the request with the credentials the PIX had asked for, the web cant authenticate these credentials and so it doesnt serve up the page.
Virtual HTTP eliminates this by authenticating against a dead address (inside in your case). Since this dead address is not listening on http port 80, the browser fails to connect and sends another http get WITHOUT the credentials. Since the user already authenticated on the last attempt, the conduit is open to him so the web server gets this request without interference (no authentication credentials embedded).
So to use this feature make sure you are running on current PIX code. Its been known to be buggy in early releases. Say you already have a static (inside,outside) 200.1.1.1 192.168.1.1 netmask 255.255.255.255 for your web server. Make another static for this dead device you want to authenticate against. Say for example: static (inside,outside) 200.1.1.2 192.168.1.2 netmask 255.255.255.255. Make sure neither address really exists. Add virtual http 200.1.1.2. Now, instruct your users to point their browsers to http://200.1.1.2 and once theyve successfully authenticated, point their browser to http://200.1.1.1 (Of coarse you can use names and DNS for both of these.)
Look at the examples under the command reference at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/commands.htm#xtocid223377
for specifics on the access-lists surrounding these commands and such.
BTW, Ive never done this inbound, only outbound, but I cant see why it wouldnt work. Most users dont like the two step process of this so you might be better off using a VPN client to get to the local segment and then the user can act normally on the network.
Another option is to just let the user authenticate against the NT database and remove AAA from the PIX. If you do this, you should move the server to a DMZ segment for security.
Im sure someone else could offer some other workarounds, there are many different ways to get around this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide