Three types of authentication are available on the PIX Security
Appliance:
- Access authentication
- Cut-through proxy authentication
- Tunnel access authentication
PIX Security appliance access authentication enables the administrator
to require authentication verification to access the PIX. The following access
authentication service options are available:
- enable password
- Serial
- SSH
- HTTP
- Telnet
In the example in Figure
, a remote
administrator is attempting to access the PIX Security Appliance via Secure
Shell (SSH) from a home office while a local administrator is attempting to
access the security appliance via Telnet. Both must be authenticated before
they are permitted to access the PIX.
For cut-through proxy
authentication, the PIX Security Appliance can be configured to require user
authentication for a session through the PIX, as specified in the aaa
authentication command. Only Telnet, FTP, HTTPS, and HTTP sessions
can be intercepted to authenticate users. In the example in Figure
, a remote user
is attempting an HTTP session with the web server. If the user is authenticated
by the PIX, the HTTP session to the web server is connected, or cut-through.
The PIX then shifts the session flow and all traffic flows directly between the
server and the client while maintaining session state information.
For
tunnel access authentication, the PIX Security Appliance can be configured to
require a remote tunnel user to authentication prior to full tunnel
establishment. In the example in Figure
, a remote user
establishes an IPSec tunnel with the home office to gain access to the
corporate web server. Before the tunnel is fully established, the PIX will
prompt the remote user for a username and password. The credentials are
verified before the remote user tunnel is fully established and they are
allowed to access the corporate web server.