Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX AAA Authentication Flaw ?

We have just purchased two PIX 515E units and have an issue, we are using an AAA (RADIUS) server for authentication to authenticate (Via Active Directory) user before they connect to the Internet.

The problem we are experiencing is that the PIX unit seems, Once it has authenticated, it enters in the Authenticated users area (In the PDM) the IP of the machine he / she is on. The problem is that a user can disconnect from the Internet… reboot the machine then someone else logs onto the machine and he or she will not be prompted for authentication? (We feel this is a security flaw in the PIX?)

Is there any way that we can resolve this, or is this just the way the PIX is designed to do this? We feel if there is no solution to this problem that we will have top send back our units to the supplier and find a more suitable product.

3 REPLIES
New Member

Re: PIX AAA Authentication Flaw ?

Hi James,

The pix will authen client based on the incoming IP address. Initiate a "show uauth" command on the pix to verify this.

In your case I'd suggest to reduce the uauth timeout value on the PIX.

related topic

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1026093

HTH

Mike

New Member

Re: PIX AAA Authentication Flaw ?

Thanks for your email, Wew have set absulote to 15mins ( If we lowered it users would be prompting every * minutes whist using it) but as explained I could log of my system and someone else could log on with the 15 mins and still no authentication would be required ?

Is there any way we could authenticate via user rather then IP ?

New Member

Re: PIX AAA Authentication Flaw ?

The most simple way, is to use a proxy server that will authen client based on the rights defined in the user profile.

Otherwise you'll will have to go with PC-software client.

104
Views
0
Helpful
3
Replies
CreatePlease to create content