we're moving away from an inbound authentication/authorisation scheme (which takes place within an unencrypted http session) to one that takes place at the https level, at the target website (within the encrypted https session).
PIX Version 5.2(5) ... config includes a slew of exclusions from the current aaa, anyway, to account for some customer proxies that don't behave nicely, like this:
...
aaa authentication exclude tcp/443 outside 192.168.1.0 255.255.255.0 some.un.nice.proxy 255.255.255.255 TACACS+
aaa authentication exclude tcp/443 outside 192.168.1.0 255.255.255.0 someother.un.nice.proxy 255.255.255.255 TACACS+
... etc ...
followed by the 'kicker':
aaa authentication include tcp/443 outside 192.168.1.0 255.255.255.0 0.0.0.0 0.0.0.0 TACACS+
finally the question: i THINK i can do the following:
IF i remove the 'include' lines ... i think that opens up the https protocol through the PIX (subject to all the other 'conduit permit' lines).
then test to make sure allowed traffic is still allowed and denied traffic is still denied ...
then i can leisurely remove all of the other aaa-server lines.
all without affecting ongoing customer sessions.
just looking for a confirmation on my supposition.
comments?