Authentication of ICA clients with ACE Server through PIX
Here is the problem:
I have Citrix server inside and want to authenticate outside users for that service. A have ACE server installed inside speaking RADIUS. Since PIX can not autheticate traffic other than http, ftp and telnet, I need first to authenticate users on port 80 for example, and then this user can start ICA connection. So, the reasonable solution would be to add authentication entry for authentication of all traffic to Citrix server. Here is config:
inside address of Citrix: 192.168.1.1
outside address of Citrix: 18.104.22.168
! This is classic static
static (inside, outside) 22.214.171.124 192.168.1.1
! Two conduits, one for auth, second for real traffic
aaa authentication include tcp/0 outside 192.168.1.1 255.255.255.255 0.0.0.0 0.0.0.0 RADIUS
So, everything is OK, user is autheticated via HTTP, and he can start ICA client without problems.
BUT, if user is seeting behind PAT device (another PIX for example), and he do authentication, then another user CAN start ICA connection WITHOUT BEING AUTHENTICATED, which is not what I expect.
I have heard that PIX have problems with this and similiar issues, meaning that PIX is maintaing these kind of connections only with SA/DA, not with SA-SP/DA-DP. Can anyone confirm this, and can someone preferabaly from Cisco give some input how to deal with this kind of problems.
Re: Authentication of ICA clients with ACE Server through PIX
The PIX caches authentication credentials based on source IP address (see sh uauth). The only workaround is to reduce your timeout uauth absolute so the cache doesnt stay up too long. Ciscos TAC should be able to help you with this
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :