As far as getting the PIX to prompt for authentication, it can be done, however it needs to be done by a browser (since the browser has the ability to "pop up" a username/password box, but Citrix doesn't have this capability). You can simply have them go to a static web page that you create which will ask for authentication. Once authenticated, they can (and only then) get to Citrix on 1494:
In this example 10.20.10.51 would be your Citrix server and 10.20.10.4 would be your web server. Obviously they could be the same box... aaa authentication http inbound 10.20.10.4 255.255.255.255 0.0.0.0 0.0.0.0 tacacs+ aaa authorization tcp/1494 inbound 10.20.10.51 255.255.255.255 0.0.0.0 0.0.0.0 aaa authorization udp/1604 inbound 10.20.10.51 255.255.255.255 0.0.0.0 0.0.0.0 The TACACS+ or Radius server would then have a rule that states when address x.x.x.x authenticates via HTTP, it is allowed to connect to server y.y.y.y via 1494 and/or 1604. Rob. ""Johnson, Richard (NY Int)"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi All, > > Is it possible to do the following.....I have a Citrix server on my > internal network which has an outside address via NAT. On the PIX port 1494, > ICA client, is open and is obviously allowed to come in. The user is then > prompted for a user name and password. Upon entering this information, they > are then prompted for the pin and secure ID by our RSA server. My question > is this, as opposed to having the Citrix server prompt them for their RSA > info I would love for them to prompted by the firewall. Any ideas if it can? > > > Thanks, > > > Rich Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38427&t=38098 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
