Issue: Users accessing http authenticating via ACS-NT 2.4 off of a PIX 520.
At times, all users are not presented with a challenge to authenticate until we reboot the PIX. ACS is functioning fine at these times. At other times, the user is challenged three times for authentication that continue to appear to fail but then has access once browser is closed and reopened. Any ideas? Are there rules governing AAA rules order in the PIX (i.e., include must come before exclude, etc.) Thanks
I'm not using a Pix firewall, but I have encountered the same problem when using the CBAC auth-proxy feature for authentication and authorization.
The first time I installed the CiscoSecure ACS Server, my clients received a challenge just one time, and then no more challenges were received.
The auth-proxy feature sets a timeout of the connection which authenticate. Then, if you clear the cache (router# clear ip auth-proxy cache *), users start receiving a challenge from the browser.
Instead of rebooting the PIX, try to locate the respective cache for authentication and reduce the default timeout. In the case of CBAC, the auth-proxy default timeout is 120 minutes. I have reduce this timeout to 10 minutes.
The process is as follows:
1. A user start a new http session, a challenge is presented.
2. The user continue browsing as normal.
3. If a user stop browsing, the timeout start running for 10 minutes.
4. Then, when the user returns after 10 minutes, a challenge is presented and the process start again.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...