Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1348
Views
0
Helpful
1
Replies

Using authentication to control internet access

d-g-c
Level 1
Level 1

‎11-06-2003 03:44 AM - edited ‎03-10-2019 07:33 AM

I'm migrating users from a legacy firewall to a new security infrastructure using PIX 515E's.

We provide Internet access to the public from certain locations and this is currently controlled using a proprietary "authentication client", a piece of software which only allows complete Internet access once a username and password have been entered into the authentication client, the client authenticates the user and configures a temporary firewall rule which allows the PC Internet access for a fixed period of time i.e. 1 hour. After this the access is stopped and the username password must be entered again to allow access.

This facility allows staff at these locations to control when the public get Internet access, but doesn't stop the public from using the PC's for other applications, word processing etc.

I need to replicate this process on the PIX, and I have been trying to use the HTTP authentication proxy along with ACS to authenticate users against our NT domain and then upload an ACL to the PIX that grants them access, this works fine when you are applying more restrictive rules to the client.

My problem with setting this up is that I need to initially deny all Internet access to the client, when the user authenticates via their browser against the PIX and ACS I then want to upload a permit all ACL line to grant them access.

However, if I configure an ACL line that says deny IP any any for this client, the ACS uploaded rule cannot override it, so after authentication the deny rule is still applied.

my other option is to configure a permit ip any any rule for the client, but all this does is restrict browser access, i.e. the pix will prompt for authentication when HTTP access to the net is requested from the client, but the permit any any rule is going to allow the client all other access without authentication, i.e. FTP, POP3, file sharing etc etc.

Is it possible to achieve what I want to do with the PIX?

Is there any other method of authenticating users I can use to acheive my goals?

thanks for any help in advance

Peter.

Labels:
0 Helpful
1 Reply 1

lwierenga
Level 1
Level 1

‎11-09-2003 12:37 AM

Hi, Peter

There is a good article that discribes what you are trying to do.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080193adf.html

Specifically look at the sections below:

Setting Network Access Restrictions for a User

Setting Max Sessions Options for a User

Setting User Usage Quotas Options

Assigning a Downloadable IP ACL to a User

0 Helpful
Customers Also Viewed These Support Documents