Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Authentication of ICA clients with ACE Server through PIX

Here is the problem:

I have Citrix server inside and want to authenticate outside users for that service. A have ACE server installed inside speaking RADIUS. Since PIX can not autheticate traffic other than http, ftp and telnet, I need first to authenticate users on port 80 for example, and then this user can start ICA connection. So, the reasonable solution would be to add authentication entry for authentication of all traffic to Citrix server. Here is config:

inside address of Citrix: 192.168.1.1

outside address of Citrix: 99.99.99.1

! This is classic static

static (inside, outside) 99.99.99.1 192.168.1.1

! Two conduits, one for auth, second for real traffic

conduit permit tcp host 99.99.99.1 eq 80 any

conduit permit tcp host 99.99.99.1 eq 1494 any

! Defining RADIUS server

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.1.2 ***** timeout 5

! Defining traffic to authenticate

aaa authentication include tcp/0 outside 192.168.1.1 255.255.255.255 0.0.0.0 0.0.0.0 RADIUS

So, everything is OK, user is autheticated via HTTP, and he can start ICA client without problems.

BUT, if user is seeting behind PAT device (another PIX for example), and he do authentication, then another user CAN start ICA connection WITHOUT BEING AUTHENTICATED, which is not what I expect.

I have heard that PIX have problems with this and similiar issues, meaning that PIX is maintaing these kind of connections only with SA/DA, not with SA-SP/DA-DP. Can anyone confirm this, and can someone preferabaly from Cisco give some input how to deal with this kind of problems.

Thanks in advance

Sasa Vidanovic

3 REPLIES
Bronze

Re: Authentication of ICA clients with ACE Server through PIX

The PIX caches authentication credentials based on source IP address (see sh uauth). The only workaround is to reduce your timeout uauth absolute so the cache doesn’t stay up too long. Cisco’s TAC should be able to help you with this

New Member

Re: Authentication of ICA clients with ACE Server through PIX

Thanks, I have already opened a case with TAC. We will see ...

New Member

Re: Authentication of ICA clients with ACE Server through PIX

hello sidanovic,

dit you have any response from TAC ? i am very interessing to know. what is with vpn(cisco vpn product with citrix?)

thanx

143
Views
0
Helpful
3
Replies
CreatePlease to create content