Banner display for internet access through PIX

gibsthomas · ‎01-25-2006

Hi all,

I'm trying to configure Guest access to internet through PIX506E. I would like to make a disclaimer banner for users so that when they try to access the internet, this disclaimer banner appears on their internet brower first and once they accept it, direct them to appropriate website they are trying to browse.

I used auth-prompt command to create a banner and it displays fine when i use a username and password for guest autentication.

My question is whether it is possible to display just the banner without having the guest to enter any autentication credentials.

Any suggestions appreciated..

Thanks

a-vazquez · ‎01-31-2006

PIX Firewall Version 6.3 introduces support for "Message-of-the-Day" (MOTD), EXEC, and login banners, similar to the same feature in Cisco IOS software. The size of banners is only limited by available system memory or Flash memory.

To configure a banner, enter the following command:

banner {exec|login|motd} text

Replace text with the string that you want the system to display. Spaces are allowed but tabs cannot be entered using the CLI. You can dynamically add the host name or domain name of the PIX Firewall by including the strings $(hostname) and $(domain) in the string. Use the exec option to display a banner before the enable prompt is displayed. Use the login option to display the banner before the password login prompt when accessing the PIX Firewall using Telnet. Use the motd option to display a message-of-the-day banner. To configure a banner including multiple lines, enter the banner command once for each line in the banner.

gibsthomas · ‎02-17-2006

Thanks for the reply and sorry for the delay. I thought no one was going to reply to this bizzare question :)..

Well, the purpose of this banner is not for displaying when we telnet, rather to be displayed when users are tryint to access internet through it.

Any ideas how to configure that without autentication being in place?. I can get that to work using 'auth prompt' command if I set up some sort of authentication mechanism for users surfing the internet. My goal is not to set up any authentication but still have that banner working

Thanks,

ROBERT CROOKS · ‎02-23-2006

I understand what you are trying to do, but I think you are considering something more of what a proxy server does. If you want to filter HTTP, you wil need to use Websense (or the other one).

You want the PIX to respond to the first connect of a web browser and then at least prompt the user to continue (if not enter a username and password). The PIX doesn't authenticate ftp or http(s) to anyone but itself. You can authenticate an incoming VPN communication locally or using RADIUS, but I have never seen where you can have the PIX do a challenge/response to an HTTP request traversing the PIX to the outside interface.

Just my 2 cents, but sorry I don't think this is possible.

gibsthomas · ‎03-03-2006

You can make PIX do a challenge/authentication reponse to an HTTP request traversing through the PIX. I know it works because I've done that.

My question was if it is possible to have a banner displayed without having any challenge/authentication reponse. I guess its not possible.