PIX - aaa authentication for http using W2k3 IAS

Posted on 2005-04-13
Last Modified: 2013-11-16
Hi all,

My task is to configure a pix 506e (6.3(3)) to allow inbound http connections from the internet through to an iis6 webserver on the lan.  No DMZ..... (i know, i know... - but i'm paid to do what i'm told!).

Have used that static command to map an IP:-

static (inside,outside) 81.178.50.xx netmask 0 0

Configured an access list and applied it:-

access-list 101 permit tcp any host 81.178.50.xx eq 80
access-lsit 101 permit tcp any host 81.178.50.xx eq 443
access-group 101 in interface outside

Setup AAA server and AAA Accounting using the IAS server w3svr2

aaa-server w3svr2 protocol radius
aaa-server w3svr2 (inside) host secretkey timeout 10
aaa authentication include http inbound w3svr2

IAS (w2k3) client is configured correctly as far as i can tell: Client-Vendor "Cisco", shared secret is correct, only policy is 'Allow access if dial-in permission is enabled'.  I have configured a user in AD, given it dial-in rights and removed it from 'domain users'.

Now, when i point a browser eg. msie6sp2 to the mapped IP, it pops up the http authentication box, but it will not accept the username/password of either the user I setup, or a domain admin.  When I check the evtlogs on the IAS box, i get:-

Type: Warning
Source: IAS
EventID: 2

User www was denied access.
 Fully-Qualified-User-Name = xxxxx/Users/www access
 NAS-IP-Address =
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = xxxxxxxxxxx
 Client-Friendly-Name = w3dfw01
 Client-IP-Address =
 NAS-Port-Type = <not present>
 NAS-Port = 4
 Policy-Name = Allow access if dial-in permission is enabled
 Authentication-Type = PAP
 EAP-Type = <undetermined>
 Reason-Code = 66
 Reason = The user attempted to use an unauthorized authentication method.  

I have tried setting the client-vendor type to RADIUS-Standard instead of Cisco, but no joy....

Any ideas where i'm going wrong??


Question by:straynor

    Expert Comment

    Straynor, Your Pix config looks correct.

    You can do a debug access list 101 and verify the number of hits(matches)

    Is this server new or has it been installed and working correctly?

    Can you go out to the internet from this server correctly(Verifys network and routing connectivity)

    Can you access the server/apps correctly from inside the the firewall  ie http to

    LVL 1

    Author Comment


    Tracked down the problem to the IAS box - as the username and password from the PIX are relayed using clear-text PAP authentication, I had to specifically enable PAP on the IAS policy profile.....  Then it worked like a charm.

    In actual fact I have dug a bit further and found that pix os 6.3 supports the command

    aaa authentication secure-http-client

    Allows the pix to use https to collect the username and password and send it to IAS encrypted.  Also works like a charm..... (albeit the built-in webpage it puts up to collect the username/password is a bit naff!).

    Thanks for the help though!

    Now how do i close this question..... hmm.....

    LVL 1

    Accepted Solution

    PAQed with points (250) refunded

    Community Support Moderator

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now