Re: Is this possible? [7:38098]
As far as getting the PIX to prompt for authentication, it can be done, however it needs to be done by a browser (since the browser has the ability to pop up a username/password box, but Citrix doesn't have this capability). You can simply have them go to a static web page that you create which will ask for authentication. Once authenticated, they can (and only then) get to Citrix on 1494: In this example 10.20.10.51 would be your Citrix server and 10.20.10.4 would be your web server. Obviously they could be the same box... aaa authentication http inbound 10.20.10.4 255.255.255.255 0.0.0.0 0.0.0.0 tacacs+ aaa authorization tcp/1494 inbound 10.20.10.51 255.255.255.255 0.0.0.0 0.0.0.0 aaa authorization udp/1604 inbound 10.20.10.51 255.255.255.255 0.0.0.0 0.0.0.0 The TACACS+ or Radius server would then have a rule that states when address x.x.x.x authenticates via HTTP, it is allowed to connect to server y.y.y.y via 1494 and/or 1604. Rob. Johnson, Richard (NY Int) wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, Is it possible to do the following.I have a Citrix server on my internal network which has an outside address via NAT. On the PIX port 1494, ICA client, is open and is obviously allowed to come in. The user is then prompted for a user name and password. Upon entering this information, they are then prompted for the pin and secure ID by our RSA server. My question is this, as opposed to having the Citrix server prompt them for their RSA info I would love for them to prompted by the firewall. Any ideas if it can? Thanks, Rich Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38427t=38098 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Is this possible? [7:38098]
If you are running the RADIUS Daemon component on your SecurID server, you could have the Firewall pass the auth. request as a radius request. The radius daemon gets the request and passes it using native SecurID calls to the ACE server, then returns the appropriate response. As far as getting the Firewall to authenticate an actual application, I'm not aware of if or how you would do that. Kelly Cobean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Johnson, Richard (NY Int) Sent: Wednesday, March 13, 2002 10:05 AM To: [EMAIL PROTECTED] Subject: Is this possible? [7:38098] Hi All, Is it possible to do the following.I have a Citrix server on my internal network which has an outside address via NAT. On the PIX port 1494, ICA client, is open and is obviously allowed to come in. The user is then prompted for a user name and password. Upon entering this information, they are then prompted for the pin and secure ID by our RSA server. My question is this, as opposed to having the Citrix server prompt them for their RSA info I would love for them to prompted by the firewall. Any ideas if it can? Thanks, Rich Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38113t=38098 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Is this possible? [7:38098]
Yes, you'll need to configure the PIX to use AAA and have it speak Radius or TACACS+ to the ACE server: How to do AAA with the PIX: http://www.cisco.com/warp/public/110/atp52.html Info on Cisco talking to ACE server: http://www.rsasecurity.com/support/guides/imp_pdfs/Cisco_Remote_Access_Serve rs_and_Pix_FW.pdf You can probably get more info from the RSA site. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Johnson, Richard (NY Int) Sent: Wednesday, March 13, 2002 7:05 AM To: [EMAIL PROTECTED] Subject: Is this possible? [7:38098] Hi All, Is it possible to do the following.I have a Citrix server on my internal network which has an outside address via NAT. On the PIX port 1494, ICA client, is open and is obviously allowed to come in. The user is then prompted for a user name and password. Upon entering this information, they are then prompted for the pin and secure ID by our RSA server. My question is this, as opposed to having the Citrix server prompt them for their RSA info I would love for them to prompted by the firewall. Any ideas if it can? Thanks, Rich Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38138t=38098 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]