The PIX Security Appliance authenticates users via Telnet, FTP,
HTTP, or HTTPS. But what if users need to access a Microsoft file server on
port 139 or a Cisco IP/TV server for instance? How will they be authenticated?
Whenever users are required to authenticate to access services other than by
Telnet, FTP, HTTP, or HTTPS, they need to do one of the following:
- Authenticate first by accessing a Telnet, FTP, HTTP, or HTTPS server before
accessing other services.
- Authenticate to the PIX Security Appliance virtual Telnet service before
accessing other services
. When there are
no Telnet, FTP, HTTP, or HTTPS servers with which to authenticate, or just to
simplify authentication for the user, the PIX allows a virtual Telnet
authentication option. This option permits the user to authenticate directly
with the PIX using the virtual Telnet IP address.
Virtual Telnet
The virtual Telnet option provides a way to
preauthenticate users who require connections through the PIX Security
Appliance using services or protocols that do not support authentication. The
virtual Telnet IP address is used both to authenticate in and authenticate out
of the PIX.
When an unauthenticated user establishes a Telnet session to
the virtual IP address, the user is challenged for the username and password,
and then authenticated with the TACACS+ or RADIUS server. Once authenticated,
the user sees the message "Authentication Successful," and the
authentication credentials are cached in the PIX Security Appliance for the
duration of the user authentication, or uauth, timeout.
If a user wishes
to log out and clear the entry in the PIX Security Appliance uauth cache, the
user can again access the virtual address via Telnet. The user is prompted for
a username and password, the PIX removes the associated credentials from the
uauth cache, and the user receives a "Logout Successful" message.
In Figure
, the
user wants to establish a NetBIOS session on port 139 to access the file
server. The user accesses the virtual Telnet address at 192.168.0.10, and is
immediately challenged for a username and password before being authenticated
with the RADIUS AAA server. Once the user is authenticated, the PIX Security
Appliance allows that user to connect to the file server without
reauthentication.
Virtual HTTP
With the virtual HTTP option, web browsers work
correctly with the PIX Security Appliance HTTP authentication. The PIX assumes
that the AAA server database is shared with a web server and automatically
provides the AAA server and web server with the same information. The virtual
HTTP option works with the PIX to authenticate the user, separate the AAA
server information from the web client’s URL request, and direct the web client
to the web server. The virtual HTTP option works by redirecting the initial web
browser connection to an IP address, which resides in PIX, authenticating the
user, then redirecting the browser back to the URL that the user originally
requested. This option is so named because it accesses a virtual HTTP server on
the PIX, which in reality does not exist.
This option is especially
useful for PIX Security Appliance interoperability with Microsoft Internet
Information Server (IIS), but it is useful for other authentication servers.
When using HTTP authentication to a site running Microsoft IIS that has Basic
text authentication or Windows NT Challenge/Response authentication enabled,
users may be denied access from the Microsoft IIS server because the browser
appends the string: "Authorization: Basic=Uuhjksdkfhk==" to the HTTP
GET commands. This string contains the PIX authentication credentials. Windows
NT IIS servers respond to the credentials and assume that a Windows NT user is
trying to access privileged pages on the server. Unless the PIX username and
password combination is exactly the same as a valid Windows NT username and
password combination on the Microsoft IIS server, the HTTP GET command is
denied.
To solve this problem, the PIX Security Appliance redirects the
initial browser connection to the virtual HTTP IP address, authenticates the
user, and then redirects the browser to the URL that the user originally
requested. Virtual HTTP is transparent to the user. Users enter actual
destination URLs in their browsers as they normally would.
 |
NOTE:
Do not set the timeout uauth duration to 0 seconds when using the
virtual HTTP option. Doing this prevents HTTP connections to the real web
server.
|
Tunnel User Authentication
For tunnel access
authentication, the PIX Security Appliance can be configured to require a
remote tunnel user to authenticate prior to gaining access to the corporate
services. The PIX will prompt them for a username and password
. The PIX can
authenticate the user before fully establishing their tunnel.
Each remote
VPN user belongs to a specific VPN group, or a default group. As users
establish VPN tunnels to the central site PIX Security Appliance, they
authenticate. Through the authentication process, the PIX identifies which
group the remote user belongs to. The PIX responds by pushing the appropriate
VPN group policy to the remote user. In Figure
, there are three
VPN group policies configured, the engineering, marketing, and training VPN
group policies. Each VPN client belongs to one group. As the remote users
establish VPN tunnels, they authenticate. When they authenticate, the PIX
identifies which VPN group they belong to. The central site PIX pushes a
specific policy to each remote user.