I'm investigating ways to allow access across PIX firewalls using a user ID instead of an IP address. For example, currently we hardcode IP addresses into a users TCP settings and then base ACL's off of that IP address. This works fine but doesn't scale up very well (and somebody could steal their IP address as well). I understand that there is a AAA feature in PIX that allows the PIX to challenge the user (ask for ID/password, or ID/tokenpin) and then pass them through. My concern is that this feature only supports http, ftp, and telnet. We have many applications other than those 3 that we would like to use AAA for. I'm told that other applications can work, but the process is rather inelegant. 1) User telnets to firewall and plugs in credentials. 2) Firewall validates credentials and then opens up holes in the firewall for that person for a set period of time. So basically to run application "X", the user has to telnet first and then launch "X". What happens when the timer expires - user gets shut out? Is there another way that isn't so clunky?
- posted
19 years ago