Ok, so I'm trying to go live with my new Pix 525/websense combo and I have this last little beast to work out.

FTP

With the latest verion of PIX (6.3) you "can" direct ftp traffic at the Websense server. Unfortunately that will only take care of authorization and not authentication. It just lets them go if the ftp "protocol" is allowed for the group they're in. Not acceptable!

I need to be able to put people into an NT group that have permission to ftp outbound and have them authenticate through the firewall in order to do it.

The direction I've been attempting is pointing my radius box to the NT group and the PIX to the radius server. I get prompted for authentication now but it's for the site I'm ftp'ing to not the firewall/Radius. All I have to do is check the logon as anonymous box and out I go. Before I put the lines in the pix it just let me go staright through which is also unacceptable. I must have something done wrong or am going the wrong way with this.

Here's the lines I have in the pix for it....

(config)# aaa-server \\bmgs\ftp protocol radius

(config)# aaa-server \\bmgs\ftp (inside) host 129.109.1.1 <shared secret> timeout 5

(config)# access-list ftpauth permit tcp any any eq ftp

(config)# aaa authentication match ftpauth inside \\bmgs\ftp

Any ideas on how I can do this successfully?

Thanks!!!!