Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

User auth thru PIX / ACS - Risk with PATor Proxy ?

Our environment :

1 Internet access

1 local PIX 515 with AAA to 1 Cisco ACS with RSA/ACE

x local Web servers

Our need is to authenticate remote Internet user (with securID card) requesting access to our internal Web servers.

After authentication succeeds, ACS allows some authorization rules to be opened for the user on the PIX, (so far a usual config...)

We discovered that if the remote Internet user is coming from a LAN using a Proxy or PAT system, a second user on the same LAN (coming then with the same source IP address on the PIX) can have access to our Web servers without authentication !!! (if the first user has already gained access to the network)

Please advise us as it looks as a serious security risk.

Is there a way on the PIX to avoid this ?

New Member

Re: User auth thru PIX / ACS - Risk with PATor Proxy ?

Unfortunately, as of just a couple months ago when I had a similar project, per Cisco there is not a way to avoid this. Here's why: when the PIX authenticates a user, it is authenticating a session for all ports from that source ip address. This is because the users will be accessing multiple (network) applications, and thus multiple ports during their authenticated session. If the PIX were to authenticate on a port-by-port basis, then a user would have to authenticate a new session at least once or twice for every {network) application they intend to use.

The hard fact is that the PIX just sees that source ip address and destination ip address for this AAA authentication, and that is it. My specific project was with a Citrix server - users would log onto a Citrix server and run their applications from there. So all internet traffic was being sourced from the ip address of the Citrix server, and the PIX would only see the first user.

End result: for AAA authentication, all sessions that originate from the same source ip address will be treated as one user, and only the first one through will have to authenticate. The PIX just sees this as a very busy user, making use of a very large number of ports.

If anyone knows of any new developments within the last couple of months that would be great, but this is how it stood as of June 2001.

Good luck!

CreatePlease to create content