Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using authentication to control internet access

I'm migrating users from a legacy firewall to a new security infrastructure using PIX 515E's.

We provide Internet access to the public from certain locations and this is currently controlled using a proprietary "authentication client", a piece of software which only allows complete Internet access once a username and password have been entered into the authentication client, the client authenticates the user and configures a temporary firewall rule which allows the PC Internet access for a fixed period of time i.e. 1 hour. After this the access is stopped and the username password must be entered again to allow access.

This facility allows staff at these locations to control when the public get Internet access, but doesn't stop the public from using the PC's for other applications, word processing etc.

I need to replicate this process on the PIX, and I have been trying to use the HTTP authentication proxy along with ACS to authenticate users against our NT domain and then upload an ACL to the PIX that grants them access, this works fine when you are applying more restrictive rules to the client.

My problem with setting this up is that I need to initially deny all Internet access to the client, when the user authenticates via their browser against the PIX and ACS I then want to upload a permit all ACL line to grant them access.

However, if I configure an ACL line that says deny IP any any for this client, the ACS uploaded rule cannot override it, so after authentication the deny rule is still applied.

my other option is to configure a permit ip any any rule for the client, but all this does is restrict browser access, i.e. the pix will prompt for authentication when HTTP access to the net is requested from the client, but the permit any any rule is going to allow the client all other access without authentication, i.e. FTP, POP3, file sharing etc etc.

Is it possible to achieve what I want to do with the PIX?

Is there any other method of authenticating users I can use to acheive my goals?

thanks for any help in advance


New Member

Re: Using authentication to control internet access

Hi, Peter

There is a good article that discribes what you are trying to do.

Specifically look at the sections below:

Setting Network Access Restrictions for a User

Setting Max Sessions Options for a User

Setting User Usage Quotas Options

Assigning a Downloadable IP ACL to a User

CreatePlease login to create content