straynor
asked on
PIX - aaa authentication for http using W2k3 IAS
Hi all,
My task is to configure a pix 506e (6.3(3)) to allow inbound http connections from the internet through to an iis6 webserver on the lan. No DMZ..... (i know, i know... - but i'm paid to do what i'm told!).
Have used that static command to map an IP:-
static (inside,outside) 81.178.50.xx 192.168.77.2 netmask 255.255.255.255 0 0
Configured an access list and applied it:-
access-list 101 permit tcp any host 81.178.50.xx eq 80
access-lsit 101 permit tcp any host 81.178.50.xx eq 443
access-group 101 in interface outside
Setup AAA server and AAA Accounting using the IAS server w3svr2
aaa-server w3svr2 protocol radius
aaa-server w3svr2 (inside) host 192.168.77.2 secretkey timeout 10
aaa authentication include http inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 w3svr2
IAS (w2k3) client is configured correctly as far as i can tell: Client-Vendor "Cisco", shared secret is correct, only policy is 'Allow access if dial-in permission is enabled'. I have configured a user in AD, given it dial-in rights and removed it from 'domain users'.
Now, when i point a browser eg. msie6sp2 to the mapped IP, it pops up the http authentication box, but it will not accept the username/password of either the user I setup, or a domain admin. When I check the evtlogs on the IAS box, i get:-
Type: Warning
Source: IAS
EventID: 2
User www was denied access.
Fully-Qualified-User-Name = xxxxx/Users/www access
NAS-IP-Address = 192.168.77.240
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = w3dfw01
Client-IP-Address = 192.168.77.240
NAS-Port-Type = <not present>
NAS-Port = 4
Policy-Name = Allow access if dial-in permission is enabled
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an unauthorized authentication method.
I have tried setting the client-vendor type to RADIUS-Standard instead of Cisco, but no joy....
Any ideas where i'm going wrong??
Thanks,
Straynor
My task is to configure a pix 506e (6.3(3)) to allow inbound http connections from the internet through to an iis6 webserver on the lan. No DMZ..... (i know, i know... - but i'm paid to do what i'm told!).
Have used that static command to map an IP:-
static (inside,outside) 81.178.50.xx 192.168.77.2 netmask 255.255.255.255 0 0
Configured an access list and applied it:-
access-list 101 permit tcp any host 81.178.50.xx eq 80
access-lsit 101 permit tcp any host 81.178.50.xx eq 443
access-group 101 in interface outside
Setup AAA server and AAA Accounting using the IAS server w3svr2
aaa-server w3svr2 protocol radius
aaa-server w3svr2 (inside) host 192.168.77.2 secretkey timeout 10
aaa authentication include http inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 w3svr2
IAS (w2k3) client is configured correctly as far as i can tell: Client-Vendor "Cisco", shared secret is correct, only policy is 'Allow access if dial-in permission is enabled'. I have configured a user in AD, given it dial-in rights and removed it from 'domain users'.
Now, when i point a browser eg. msie6sp2 to the mapped IP, it pops up the http authentication box, but it will not accept the username/password of either the user I setup, or a domain admin. When I check the evtlogs on the IAS box, i get:-
Type: Warning
Source: IAS
EventID: 2
User www was denied access.
Fully-Qualified-User-Name = xxxxx/Users/www access
NAS-IP-Address = 192.168.77.240
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = w3dfw01
Client-IP-Address = 192.168.77.240
NAS-Port-Type = <not present>
NAS-Port = 4
Policy-Name = Allow access if dial-in permission is enabled
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an unauthorized authentication method.
I have tried setting the client-vendor type to RADIUS-Standard instead of Cisco, but no joy....
Any ideas where i'm going wrong??
Thanks,
Straynor
ASKER
Hi,
Tracked down the problem to the IAS box - as the username and password from the PIX are relayed using clear-text PAP authentication, I had to specifically enable PAP on the IAS policy profile..... Then it worked like a charm.
In actual fact I have dug a bit further and found that pix os 6.3 supports the command
aaa authentication secure-http-client
Allows the pix to use https to collect the username and password and send it to IAS encrypted. Also works like a charm..... (albeit the built-in webpage it puts up to collect the username/password is a bit naff!).
Thanks for the help though!
Now how do i close this question..... hmm.....
Straynor
Tracked down the problem to the IAS box - as the username and password from the PIX are relayed using clear-text PAP authentication, I had to specifically enable PAP on the IAS policy profile..... Then it worked like a charm.
In actual fact I have dug a bit further and found that pix os 6.3 supports the command
aaa authentication secure-http-client
Allows the pix to use https to collect the username and password and send it to IAS encrypted. Also works like a charm..... (albeit the built-in webpage it puts up to collect the username/password is a bit naff!).
Thanks for the help though!
Now how do i close this question..... hmm.....
Straynor
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can do a debug access list 101 and verify the number of hits(matches)
Is this server new or has it been installed and working correctly?
Can you go out to the internet from this server correctly(Verifys network and routing connectivity)
Can you access the server/apps correctly from inside the the firewall ie http to 192.168.77.2?