Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 525 / Websense Question.... Can't figure this one out...

Ok, so I'm trying to go live with my new Pix 525/websense combo and I have this last little beast to work out.


With the latest verion of PIX (6.3) you "can" direct ftp traffic at the Websense server. Unfortunately that will only take care of authorization and not authentication. It just lets them go if the ftp "protocol" is allowed for the group they're in. Not acceptable!

I need to be able to put people into an NT group that have permission to ftp outbound and have them authenticate through the firewall in order to do it.

The direction I've been attempting is pointing my radius box to the NT group and the PIX to the radius server. I get prompted for authentication now but it's for the site I'm ftp'ing to not the firewall/Radius. All I have to do is check the logon as anonymous box and out I go. Before I put the lines in the pix it just let me go staright through which is also unacceptable. I must have something done wrong or am going the wrong way with this.

Here's the lines I have in the pix for it....

(config)# aaa-server \\bmgs\ftp protocol radius

(config)# aaa-server \\bmgs\ftp (inside) host <shared secret> timeout 5

(config)# access-list ftpauth permit tcp any any eq ftp

(config)# aaa authentication match ftpauth inside \\bmgs\ftp

Any ideas on how I can do this successfully?



Re: PIX 525 / Websense Question.... Can't figure this one out...

Treat the issues of authorization and URL filtering (using websense) seperately. Websense handles 'where'. The AAA server deals with 'who' and 'what'. The PIX Firewall performs a username lookup, and then the Websense server handles URL filtering.