×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

how to require authentication from inbound https connections?

Unanswered Question
Oct 6th, 2006
User Badges:

hi,


I have this internal web server protected by the pix. now I want the pix to use aaa and ask for authentication when the user tries to connect to the firewall which by using static send the request to the web server.


this is my code,



access-list from_outside extended permit icmp any any log

access-list from_outside extended permit tcp any host <mypublicip> eq 11070 log

access-list from_outside extended permit tcp any host <mypublicip> eq https log

access-list from_outside extended deny ip any any log


access-list acl_auth extended permit tcp any any eq https


aaa-server MYAAA protocol radius

aaa-server MYAAA (inside) host 1.0.76.122

key MYSECRETKEY

authentication-port 1812

aaa authentication ssh console MYAAA LOCAL

aaa authentication match acl_auth outside MYAAA


auth-prompt prompt Enter your user and pass!

auth-prompt accept YESSSSSSSSSSSSSSSSSSSSSSSSSsss

auth-prompt reject NOOOOOOOOOOOOOOOOOOOOOOo



now when I try to connect to

https://<mypublicip>

I don't get any internet explorer popups and in my pix logs I see a line

%PIX-7-109014: uauth_lookup_net fail for get_np_flow_info()

on cisco it says that I have to use authorization as well but I don't understand why, I don't even get a popup to type my user/pass.


also, I'm using freeradius on a linux box, the authentication works because to log into my cisco I use aaa and I can log no problem there.


any help would be appreciated.

thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pamirian76 Fri, 10/06/2006 - 06:47
User Badges:

my 2nd question:


if a user from a company that's using PAT gets to the pix, for the first user the pix will prompt for a user/pass but not for the other users since the user coming from that IP has already authenticated.


how can I force the pix to ask for a user/pass anyway? I'm not even sure that this can be done...


what's my option if I want all the user coming from the same IP to be authenticated by the pix?


thank you!!


kaachary Mon, 10/16/2006 - 13:00
User Badges:
  • Cisco Employee,

Hi..


Regarding your second question :


Try to lower down the uauth timeout on the PIX.


Thanks

Kanishka

kaachary Mon, 10/16/2006 - 13:02
User Badges:
  • Cisco Employee,

Hi


Regarding your first question :


Change the exisiting command to :


aaa authentication match acl_auth inside MYAAA


Thanks

Kanishka

Actions

This Discussion