Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

2 tier authentication on PIX

Some of our users VPN into a PIX 525 this same PIX handles our web traffic. I need to restrict access to specific web sites using RADIUS, the VPN users are authenticated using RADIUS (ACS3.1) but the problem I face is differentiating between users trying to authenticate their VPN connection and users trying to access the restricted web sites.

The ACS server also runs the VASCO token authentication software which is used to authenticate access to the restricted web sites.

Currently if a VPN user tries to access one of the restricted sites they can use their VPN credentials to access the site.

This is probably more of an ACS question than PIX but you never know!

I basically need ACS to authenticate port 80 requests seperately to VPN authentication requests, but both still using RADIUS. Do HTTP authentication requests arrive on a different NAS port to VPN authentication requests?

I don't wan't to rely on downloadable ACL's as there are many groups on the ACS servers and I don't have sole control so other people could add a new group and inadvertanly allow access to the restricted sites.

Any Ideas?


CreatePlease to create content