Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Using AAA on PIX to authenticate inbound HTTP traffic on port 8080 ?

Hi,

I am trying to authenticate inbound http users to a pix, but with users navigating in their browsers on a port other than 80. The port is in the fixup http list, but the following command does not work :

aaa authentication include http outside 192.168.0.1 255.255.255.0 0 0 authserv

this command works for port 80 but if I try it for another port it does not work.

If I try

aaa authentication include http/8080 outside 192.168.0.1 255.255.255.0 0 0 authserv

it obviously does not work because it has not been thought this way and

aaa authentication include tcp/8080 outside 192.168.0.1 255.255.255.0 0 0 authserv

freezes the browser, like if it does not connect. So I am thinking that the aaa authenticate command should take into consideration the TCP ports mentionned in the fixup protocol list. Or am I missing something ?

Thanks for any input !

Olivier

2 REPLIES
Cisco Employee

Re: Using AAA on PIX to authenticate inbound HTTP traffic on por

You shouldn't need any fixup protocol to enable users to access http 8080.

Your problem seems more on the user profile on the authserv... have you configured correct user profile to allow users on TCP/8080...

the correct command on PIX would be;

aaa authentication include tcp/8080 outside 192.168.0.1 255.255.255.0 0 0 authserv

and not;

aaa authentication include http/8080 outside 192.168.0.1 255.255.255.0 0 0 authserv

R/Yusuf

New Member

Re: Using AAA on PIX to authenticate inbound HTTP traffic on por

The problem is not to enable straight user access to http on port 8080, but rather to authenticate users using the same aaa mecanism but on port 8080 instead of port 80 as when :

aaa authenticate include http outside 192.168.0.1 255.255.255.255 0 0 authserv

but that the "http" keyword takes any http port session that is identified on the fixup list, otherwise I don't really see how it can guess that there is http traffic on another port. It would have to open every packet looking for http traffic..

Or have a command such as the one I suggested with http/port# could help but this command is not there...

346
Views
0
Helpful
2
Replies