Incoming HTTP requests authenticated at a boundary PIX using RADIUS pass the authentication credentials on to an IIS web server running Outlook web access. The Radius authentication at the PIX uses a one time password,the IIS tries to look this up on the local NT domain & fails.
I'd like to stop the PIX passing the credentials to IIS. In fact I'd like the PIX to authenticate seperately from a different RADIUS server than the IIS. I think that Virtual HTTP will do this but can only find configuration examples for outbound use of this command.
First, let me try to explain what the purpose of Virtual HTTP is. The PIX is not passing these credentials to IIS. When a browser requests a web page from a secure site that requires authentication, the web server (IIS) prompts for username and password. The user enters this information on their browser and resends the request now WITH the credentials being passed on. When you place a PIX in the middle to proxy this request, The PIX requests the credentials, checks them against the radius server and opens the conduit when allowed. The browser thinks this is the IIS server and so it sends back the request with the credentials the PIX had asked for, the web cant authenticate these credentials and so it doesnt serve up the page.
Virtual HTTP eliminates this by authenticating against a dead address (inside in your case). Since this dead address is not listening on http port 80, the browser fails to connect and sends another http get WITHOUT the credentials. Since the user already authenticated on the last attempt, the conduit is open to him so the web server gets this request without interference (no authentication credentials embedded).
So to use this feature make sure you are running on current PIX code. Its been known to be buggy in early releases. Say you already have a static (inside,outside) 184.108.40.206 192.168.1.1 netmask 255.255.255.255 for your web server. Make another static for this dead device you want to authenticate against. Say for example: static (inside,outside) 220.127.116.11 192.168.1.2 netmask 255.255.255.255. Make sure neither address really exists. Add virtual http 18.104.22.168. Now, instruct your users to point their browsers to http://22.214.171.124 and once theyve successfully authenticated, point their browser to http://126.96.36.199 (Of coarse you can use names and DNS for both of these.)
Look at the examples under the command reference at:
for specifics on the access-lists surrounding these commands and such.
BTW, Ive never done this inbound, only outbound, but I cant see why it wouldnt work. Most users dont like the two step process of this so you might be better off using a VPN client to get to the local segment and then the user can act normally on the network.
Another option is to just let the user authenticate against the NT database and remove AAA from the PIX. If you do this, you should move the server to a DMZ segment for security.
Im sure someone else could offer some other workarounds, there are many different ways to get around this.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :