[Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 580
  • Last Modified:

PIX - aaa authentication for http using W2k3 IAS

Hi all,

My task is to configure a pix 506e (6.3(3)) to allow inbound http connections from the internet through to an iis6 webserver on the lan.  No DMZ..... (i know, i know... - but i'm paid to do what i'm told!).

Have used that static command to map an IP:-

static (inside,outside) 81.178.50.xx netmask 0 0

Configured an access list and applied it:-

access-list 101 permit tcp any host 81.178.50.xx eq 80
access-lsit 101 permit tcp any host 81.178.50.xx eq 443
access-group 101 in interface outside

Setup AAA server and AAA Accounting using the IAS server w3svr2

aaa-server w3svr2 protocol radius
aaa-server w3svr2 (inside) host secretkey timeout 10
aaa authentication include http inbound w3svr2

IAS (w2k3) client is configured correctly as far as i can tell: Client-Vendor "Cisco", shared secret is correct, only policy is 'Allow access if dial-in permission is enabled'.  I have configured a user in AD, given it dial-in rights and removed it from 'domain users'.

Now, when i point a browser eg. msie6sp2 to the mapped IP, it pops up the http authentication box, but it will not accept the username/password of either the user I setup, or a domain admin.  When I check the evtlogs on the IAS box, i get:-

Type: Warning
Source: IAS
EventID: 2

User www was denied access.
 Fully-Qualified-User-Name = xxxxx/Users/www access
 NAS-IP-Address =
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = xxxxxxxxxxx
 Client-Friendly-Name = w3dfw01
 Client-IP-Address =
 NAS-Port-Type = <not present>
 NAS-Port = 4
 Policy-Name = Allow access if dial-in permission is enabled
 Authentication-Type = PAP
 EAP-Type = <undetermined>
 Reason-Code = 66
 Reason = The user attempted to use an unauthorized authentication method.  

I have tried setting the client-vendor type to RADIUS-Standard instead of Cisco, but no joy....

Any ideas where i'm going wrong??


1 Solution
Straynor, Your Pix config looks correct.

You can do a debug access list 101 and verify the number of hits(matches)

Is this server new or has it been installed and working correctly?

Can you go out to the internet from this server correctly(Verifys network and routing connectivity)

Can you access the server/apps correctly from inside the the firewall  ie http to

straynorAuthor Commented:

Tracked down the problem to the IAS box - as the username and password from the PIX are relayed using clear-text PAP authentication, I had to specifically enable PAP on the IAS policy profile.....  Then it worked like a charm.

In actual fact I have dug a bit further and found that pix os 6.3 supports the command

aaa authentication secure-http-client

Allows the pix to use https to collect the username and password and send it to IAS encrypted.  Also works like a charm..... (albeit the built-in webpage it puts up to collect the username/password is a bit naff!).

Thanks for the help though!

Now how do i close this question..... hmm.....

PAQed with points (250) refunded

Community Support Moderator

Featured Post

Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now