Hello,
I have a PIX allowing some IPs on my Inside interface to access some server on the DMZ interface with an ACL like
access-list acl-inside permit tcp host 192.168.1.1 host 192.168.2.1
So, anybody changing his IP address can access my server in DMZ if they found the correct source IP.
Is it possible to restrict the rules only to users that were previously authenticated on the PIX with the correct IP ?
Thanks
Geof
True, with some care taken to be sure that the real 192.168.1.1 is idle.
If the same authenticated user were to move to a different system, should they still be authorized to reach that host? If any user sits down at that host and authenticate, should they be permitted access to the remote system? Or is the combination of authentication and host that is required -- e.g., the payroll administrator is authorized by only when sitting at the cheque-control computer in a locked and guarded room?
What kind of authentication are you doing? Are you using 802.1x?
You might wish to look into "downloadable ACLs".
Walter Roberson a =E9crit :
It's the combination that is require : Host IP and a good username/password, but only username/password will make the deal.
I just want to have a simple authentication, with a username and a password, may be centralized with TACACS or Radius.
I don't plan du user 802.1x,
Thanks, I will look at this. I think that the following link will resolv my problems
Geof
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.