Configure AAA on the PIX Security Appliance
Cut-through proxy authentication

The PIX Security Appliance gains dramatic performance advantages because of the cut-through proxy . This is a method of transparently verifying the identity of users at the firewall and permitting or denying access to any TCP- or UDP-based application. This method eliminates the price and performance impact that UNIX system-based firewalls impose in similar configurations, and leverages the authentication and authorization services of the Cisco Secure ACS.

The PIX Security Appliance cut-through proxy challenges a user initially at the application layer, and then authenticates against standard TACACS+, RADIUS, or local databases. After the policy is checked, the PIX shifts the session flow, and all traffic flows directly between the server and the client while maintaining session state information.

To authenticate a cut-through proxy user, only FTP, Telnet, HTTP and HTTPS sessions can be intercepted. More information on the four authentication sessions is as follows:

  • Telnet – The user gets a prompt generated by the PIX Security Appliance. The user up to four chances to log in. If the username or password fails after the fourth attempt, the PIX drops the connection.
  • FTP –The user gets a prompt from the FTP program. If the user enters an incorrect password, the connection is dropped immediately.
  • HTTP – The user sees a window generated by the web browser. If the user enters an incorrect password, they are prompted again.
  • HTTPS – The user gets a prompt generated by the PIX Security Appliance. The user has up to three chances to log in. If the username or password fails after the third attempt, the PIX drops the connection.

Keep in mind that browsers cache usernames and passwords. If the PIX Security Appliance should be timing out an HTTP/HTTPS connection but it is not, re-authentication may actually be taking place, with the web browser sending the cached username and password back to the PIX. If Telnet and FTP seem to work normally, but HTTP/HTTPS connections do not, this is usually the reason.


Lab Activity

e-Lab Activity: Configure PIX Security Appliance Authentication

In this activity, the student will practice how to authenticate users.