Pix 515 and user authentication - controlling outbound rights

Pix 515 and user authentication - controlling outbound rights

Post by Robert Bruc » Sat, 06 Oct 2001 01:24:21



We have a network of Win2K PCs and servers on a Windows 2000 Active
Directory. I am replacing our current firewall with a Pix515 (V6.1, PDM) and
would like to be able to control some of the general internet access
depending on user login name (and control some by machine name or IP)

Outbound access would not be limited to http, ftp and telnet: i need to be
able to grant or restrict access to numerous services depending on the user.

Ideally, I would like a system which ties into Adtive directory and dynamic
DHCP/DNS so that the entire process is transparent to the user.
Unfortunately I am a bit of a novice with IOS and AAA so I am looking for
advice along the lines of

a)    is it possible?
b)    if not, what is?
c)     how?

TIA

- Rob

 
 
 

Pix 515 and user authentication - controlling outbound rights

Post by SGion » Sat, 06 Oct 2001 05:04:07


You need to use 3rd party software for this.  One example would be Websense,
which talks to the PIX to constrain access by user.


Quote:> We have a network of Win2K PCs and servers on a Windows 2000 Active
> Directory. I am replacing our current firewall with a Pix515 (V6.1, PDM)
and
> would like to be able to control some of the general internet access
> depending on user login name (and control some by machine name or IP)

> Outbound access would not be limited to http, ftp and telnet: i need to be
> able to grant or restrict access to numerous services depending on the
user.

> Ideally, I would like a system which ties into Adtive directory and
dynamic
> DHCP/DNS so that the entire process is transparent to the user.
> Unfortunately I am a bit of a novice with IOS and AAA so I am looking for
> advice along the lines of

> a)    is it possible?
> b)    if not, what is?
> c)     how?

> TIA

> - Rob


 
 
 

1. PIX 515 with AAA Authentication of VPN Users

Hello,
        I have been working with implementing a PIX 515 in a failover
configuration using IOS 6.0.1. What I am trying to attempt is to have
users create a VPN tunnel (either PPTP or IPsec using Cisco Client
3.0), have AAA Authenticate them, apply an access list to them to
control their access, and finally assign them an IP Address based on
their username. I have gotton everything working except the static ip
assignment using the following config:

Cisco ACS Server 2.6 running on Win2k Server, TACACS+ configed
IPSec client, using IPsec vpngroup command
I apply acls to the groups through ACS and it works.

I am wondering if the PIX has the capability to assign IP Addresses
based on username. I know a VPN Concentrator would do it, but this is
for such a small pool of users it would be a waste of money (and rack
space!!!). If anyone could assist me, it would be greatly appreciated.

- Mike Bullock

2. Lotus Notes 3.0

3. PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC?

4. Broadband Reports: Interview with Jim Baller

5. PIX 515 Inbound/Outbound access list confusion

6. NetMeeting startup problems

7. Cisco PIX 515 UR w/ 6x FE $3995 PIX 515 UR $3495

8. HP Scanjet 5p and Windows NT

9. did we made the right choice on a pix-515 firewall

10. Different authentication server for each vpn-group (PIX 515)

11. Info configuring RADIUS on WIN2k server for PIX 515 authentication

12. Newbie PIX 515 authentication question

13. problems accessing servers behind a PIX 515 from behind the 515