Configuration of Virtual Telnet Authentication

pixfirewall (config)#

virtual telnet ip address

IP address

- For inbound clients, this must be an unused global address.

- For outbound clients, this must be an unused global address routed directly to the PIX Firewall.

pixfirewall(config)# virtual telnet 192.168.0.3

©2000, Cisco Systems,

When using virtual Telnet to authenticate inbound clients, the IP address must be an unused global address.

When using virtual Telnet to authenticate outbound clients, this must be an unused global address routed directly to the PIX Firewall.

The syntax for the virtual telnet command is as follows:

virtual telnet ipaddress

Argument

Description

ipjaddress

Unused global IP address on PIX Firewall, used for Telnet for authentication.

• Some Web servers do not understand the PIX Firewall's authentication credentials.

• When virtual HTTP is enabled, it redirects the browser to authenticate first to a virtual Web server on the PIX Firewall.

• After authentication, the PIX Firewall forwards the Web request to the intended Web server.

©2000, Cisco Systems, Inc. WWW.ciscO.cOm CSPFA1.01—4-18

With the virtual HTTP option, web browsers work correctly with the PIX Firewall's HTTP authentication. The PIX Firewall assumes that the AAA server database is shared with a web server and automatically provides the AAA server and web server with the same information. The virtual HTTP option works with the PIX Firewall to authenticate the user, separate the AAA server information from the web client's URL request, and direct the web client to the web server. The virtual HTTP option works by redirecting the web browser's initial connection to an IP address, which resides in the PIX Firewall, authenticating the user, then redirecting the browser back to the URL that the user originally requested. This option is so named because it accesses a virtual HTTP server on the PIX Firewall, which in reality does not exist.

This option is especially useful for PIX Firewall interoperability with Microsoft IIS, but is useful for other authentication servers. When using HTTP authentication to a site running Microsoft IIS that has "Basic text authentication" or "NT Challenge" enabled, users may be denied access from the Microsoft IIS server. This occurs because the browser appends the string: "Authorization: Basic=Uuhjksdkfhk==" to the HTTP GET commands. This string contains the PIX Firewall authentication credentials. Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the PIX Firewall username and password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.

To solve this problem, PIX Firewall redirects the browser's initial connection to its virtual HTTP IP address, authenticates the user, then redirects the browser back to the URL that the user originally requested.

Note Do not set the timeout uauth duration to 0 seconds when using the virtual HTTP option. This will prevent HTTP connections to the real web server.

0 0

Post a comment