Configure AAA on the PIX Security Appliance
Authentication of Non-Telnet, FTP, or HTTP traffic

The PIX Security Appliance authenticates users via Telnet, FTP, HTTP, or HTTPS. But what if users need to access a Microsoft file server on port 139 or a Cisco IP/TV server for instance? How will they be authenticated? Whenever users are required to authenticate to access services other than by Telnet, FTP, HTTP, or HTTPS, they need to do one of the following:

  • Authenticate first by accessing a Telnet, FTP, HTTP, or HTTPS server before accessing other services.
  • Authenticate to the PIX Security Appliance virtual Telnet service before accessing other services . When there are no Telnet, FTP, HTTP, or HTTPS servers with which to authenticate, or just to simplify authentication for the user, the PIX allows a virtual Telnet authentication option. This option permits the user to authenticate directly with the PIX using the virtual Telnet IP address.

Virtual Telnet
The virtual Telnet option provides a way to preauthenticate users who require connections through the PIX Security Appliance using services or protocols that do not support authentication. The virtual Telnet IP address is used both to authenticate in and authenticate out of the PIX.

When an unauthenticated user establishes a Telnet session to the virtual IP address, the user is challenged for the username and password, and then authenticated with the TACACS+ or RADIUS server. Once authenticated, the user sees the message "Authentication Successful," and the authentication credentials are cached in the PIX Security Appliance for the duration of the user authentication, or uauth, timeout.

If a user wishes to log out and clear the entry in the PIX Security Appliance uauth cache, the user can again access the virtual address via Telnet. The user is prompted for a username and password, the PIX removes the associated credentials from the uauth cache, and the user receives a "Logout Successful" message.

In Figure , the user wants to establish a NetBIOS session on port 139 to access the file server. The user accesses the virtual Telnet address at 192.168.0.10, and is immediately challenged for a username and password before being authenticated with the RADIUS AAA server. Once the user is authenticated, the PIX Security Appliance allows that user to connect to the file server without reauthentication.

Virtual HTTP
With the virtual HTTP option, web browsers work correctly with the PIX Security Appliance HTTP authentication. The PIX assumes that the AAA server database is shared with a web server and automatically provides the AAA server and web server with the same information. The virtual HTTP option works with the PIX to authenticate the user, separate the AAA server information from the web client’s URL request, and direct the web client to the web server. The virtual HTTP option works by redirecting the initial web browser connection to an IP address, which resides in PIX, authenticating the user, then redirecting the browser back to the URL that the user originally requested. This option is so named because it accesses a virtual HTTP server on the PIX, which in reality does not exist.

This option is especially useful for PIX Security Appliance interoperability with Microsoft Internet Information Server (IIS), but it is useful for other authentication servers. When using HTTP authentication to a site running Microsoft IIS that has Basic text authentication or Windows NT Challenge/Response authentication enabled, users may be denied access from the Microsoft IIS server because the browser appends the string: "Authorization: Basic=Uuhjksdkfhk==" to the HTTP GET commands. This string contains the PIX authentication credentials. Windows NT IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the PIX username and password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.

To solve this problem, the PIX Security Appliance redirects the initial browser connection to the virtual HTTP IP address, authenticates the user, and then redirects the browser to the URL that the user originally requested. Virtual HTTP is transparent to the user. Users enter actual destination URLs in their browsers as they normally would.

NOTE:

Do not set the timeout uauth duration to 0 seconds when using the virtual HTTP option. Doing this prevents HTTP connections to the real web server.

Tunnel User Authentication
For tunnel access authentication, the PIX Security Appliance can be configured to require a remote tunnel user to authenticate prior to gaining access to the corporate services. The PIX will prompt them for a username and password . The PIX can authenticate the user before fully establishing their tunnel.

Each remote VPN user belongs to a specific VPN group, or a default group. As users establish VPN tunnels to the central site PIX Security Appliance, they authenticate. Through the authentication process, the PIX identifies which group the remote user belongs to. The PIX responds by pushing the appropriate VPN group policy to the remote user. In Figure , there are three VPN group policies configured, the engineering, marketing, and training VPN group policies. Each VPN client belongs to one group. As the remote users establish VPN tunnels, they authenticate. When they authenticate, the PIX identifies which VPN group they belong to. The central site PIX pushes a specific policy to each remote user.


Lab Activity

e-Lab Activity: Authentication of Non-Telnet, FTP, or HTTP Traffic with the PIX Security Appliance

In this activity, the student will configure virtual Telnet, virtual HTTP, console authentication, authentication timeouts and authentication prompts.