I'm migrating users from a legacy firewall to a new security infrastructure using PIX 515E's.
We provide Internet access to the public from certain locations and this is currently controlled using a proprietary "authentication client", a piece of software which only allows complete Internet access once a username and password have been entered into the authentication client, the client authenticates the user and configures a temporary firewall rule which allows the PC Internet access for a fixed period of time i.e. 1 hour. After this the access is stopped and the username password must be entered again to allow access.
This facility allows staff at these locations to control when the public get Internet access, but doesn't stop the public from using the PC's for other applications, word processing etc.
I need to replicate this process on the PIX, and I have been trying to use the HTTP authentication proxy along with ACS to authenticate users against our NT domain and then upload an ACL to the PIX that grants them access, this works fine when you are applying more restrictive rules to the client.
My problem with setting this up is that I need to initially deny all Internet access to the client, when the user authenticates via their browser against the PIX and ACS I then want to upload a permit all ACL line to grant them access.
However, if I configure an ACL line that says deny IP any any for this client, the ACS uploaded rule cannot override it, so after authentication the deny rule is still applied.
my other option is to configure a permit ip any any rule for the client, but all this does is restrict browser access, i.e. the pix will prompt for authentication when HTTP access to the net is requested from the client, but the permit any any rule is going to allow the client all other access without authentication, i.e. FTP, POP3, file sharing etc etc.
Is it possible to achieve what I want to do with the PIX?
Is there any other method of authenticating users I can use to acheive my goals?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :