11-06-2003 03:44 AM - edited 03-10-2019 07:33 AM
I'm migrating users from a legacy firewall to a new security infrastructure using PIX 515E's.
We provide Internet access to the public from certain locations and this is currently controlled using a proprietary "authentication client", a piece of software which only allows complete Internet access once a username and password have been entered into the authentication client, the client authenticates the user and configures a temporary firewall rule which allows the PC Internet access for a fixed period of time i.e. 1 hour. After this the access is stopped and the username password must be entered again to allow access.
This facility allows staff at these locations to control when the public get Internet access, but doesn't stop the public from using the PC's for other applications, word processing etc.
I need to replicate this process on the PIX, and I have been trying to use the HTTP authentication proxy along with ACS to authenticate users against our NT domain and then upload an ACL to the PIX that grants them access, this works fine when you are applying more restrictive rules to the client.
My problem with setting this up is that I need to initially deny all Internet access to the client, when the user authenticates via their browser against the PIX and ACS I then want to upload a permit all ACL line to grant them access.
However, if I configure an ACL line that says deny IP any any for this client, the ACS uploaded rule cannot override it, so after authentication the deny rule is still applied.
my other option is to configure a permit ip any any rule for the client, but all this does is restrict browser access, i.e. the pix will prompt for authentication when HTTP access to the net is requested from the client, but the permit any any rule is going to allow the client all other access without authentication, i.e. FTP, POP3, file sharing etc etc.
Is it possible to achieve what I want to do with the PIX?
Is there any other method of authenticating users I can use to acheive my goals?
thanks for any help in advance
Peter.
11-09-2003 12:37 AM
Hi, Peter
There is a good article that discribes what you are trying to do.
Specifically look at the sections below:
Setting Network Access Restrictions for a User
Setting Max Sessions Options for a User
Setting User Usage Quotas Options
Assigning a Downloadable IP ACL to a User
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide