Introduction to PIX Security Appliance AAA Features
PIX Security Appliance authentication

Three types of authentication are available on the PIX Security Appliance:

  • Access authentication
  • Cut-through proxy authentication
  • Tunnel access authentication

PIX Security appliance access authentication enables the administrator to require authentication verification to access the PIX. The following access authentication service options are available:

  • enable password
  • Serial
  • SSH
  • HTTP
  • Telnet

In the example in Figure , a remote administrator is attempting to access the PIX Security Appliance via Secure Shell (SSH) from a home office while a local administrator is attempting to access the security appliance via Telnet. Both must be authenticated before they are permitted to access the PIX.

For cut-through proxy authentication, the PIX Security Appliance can be configured to require user authentication for a session through the PIX, as specified in the aaa authentication command. Only Telnet, FTP, HTTPS, and HTTP sessions can be intercepted to authenticate users. In the example in Figure , a remote user is attempting an HTTP session with the web server. If the user is authenticated by the PIX, the HTTP session to the web server is connected, or cut-through. The PIX then shifts the session flow and all traffic flows directly between the server and the client while maintaining session state information.

For tunnel access authentication, the PIX Security Appliance can be configured to require a remote tunnel user to authentication prior to full tunnel establishment. In the example in Figure , a remote user establishes an IPSec tunnel with the home office to gain access to the corporate web server. Before the tunnel is fully established, the PIX will prompt the remote user for a username and password. The credentials are verified before the remote user tunnel is fully established and they are allowed to access the corporate web server.