PIX - aaa authentication for http using W2k3 IAS
Posted on 2005-04-13
My task is to configure a pix 506e (6.3(3)) to allow inbound http connections from the internet through to an iis6 webserver on the lan. No DMZ..... (i know, i know... - but i'm paid to do what i'm told!).
Have used that static command to map an IP:-
static (inside,outside) 81.178.50.xx 192.168.77.2 netmask 255.255.255.255 0 0
Configured an access list and applied it:-
access-list 101 permit tcp any host 81.178.50.xx eq 80
access-lsit 101 permit tcp any host 81.178.50.xx eq 443
access-group 101 in interface outside
Setup AAA server and AAA Accounting using the IAS server w3svr2
aaa-server w3svr2 protocol radius
aaa-server w3svr2 (inside) host 192.168.77.2 secretkey timeout 10
aaa authentication include http inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 w3svr2
IAS (w2k3) client is configured correctly as far as i can tell: Client-Vendor "Cisco", shared secret is correct, only policy is 'Allow access if dial-in permission is enabled'. I have configured a user in AD, given it dial-in rights and removed it from 'domain users'.
Now, when i point a browser eg. msie6sp2 to the mapped IP, it pops up the http authentication box, but it will not accept the username/password of either the user I setup, or a domain admin. When I check the evtlogs on the IAS box, i get:-
User www was denied access.
Fully-Qualified-User-Name = xxxxx/Users/www access
NAS-IP-Address = 192.168.77.240
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = xxxxxxxxxxx
Client-Friendly-Name = w3dfw01
Client-IP-Address = 192.168.77.240
NAS-Port-Type = <not present>
NAS-Port = 4
Policy-Name = Allow access if dial-in permission is enabled
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an unauthorized authentication method.
I have tried setting the client-vendor type to RADIUS-Standard instead of Cisco, but no joy....
Any ideas where i'm going wrong??