cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1958
Views
0
Helpful
2
Replies

Using AAA on PIX to authenticate inbound HTTP traffic on port 8080 ?

olivier.martin
Level 1
Level 1

Hi,

I am trying to authenticate inbound http users to a pix, but with users navigating in their browsers on a port other than 80. The port is in the fixup http list, but the following command does not work :

aaa authentication include http outside 192.168.0.1 255.255.255.0 0 0 authserv

this command works for port 80 but if I try it for another port it does not work.

If I try

aaa authentication include http/8080 outside 192.168.0.1 255.255.255.0 0 0 authserv

it obviously does not work because it has not been thought this way and

aaa authentication include tcp/8080 outside 192.168.0.1 255.255.255.0 0 0 authserv

freezes the browser, like if it does not connect. So I am thinking that the aaa authenticate command should take into consideration the TCP ports mentionned in the fixup protocol list. Or am I missing something ?

Thanks for any input !

Olivier

2 Replies 2

yusuff
Cisco Employee
Cisco Employee

You shouldn't need any fixup protocol to enable users to access http 8080.

Your problem seems more on the user profile on the authserv... have you configured correct user profile to allow users on TCP/8080...

the correct command on PIX would be;

aaa authentication include tcp/8080 outside 192.168.0.1 255.255.255.0 0 0 authserv

and not;

aaa authentication include http/8080 outside 192.168.0.1 255.255.255.0 0 0 authserv

R/Yusuf

The problem is not to enable straight user access to http on port 8080, but rather to authenticate users using the same aaa mecanism but on port 8080 instead of port 80 as when :

aaa authenticate include http outside 192.168.0.1 255.255.255.255 0 0 authserv

but that the "http" keyword takes any http port session that is identified on the fixup list, otherwise I don't really see how it can guess that there is http traffic on another port. It would have to open every packet looking for http traffic..

Or have a command such as the one I suggested with http/port# could help but this command is not there...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: