Hi,
Would someone knowledgeable (or otherwise :-) care to enlighten
me (and possibly others) on how the PIX authenticates users of
the HTTP protocol.
My understanding so far ....
On receiving an HTTP packet from a host (not user) the PIX looks
to see if one has already been received an the host (not user)
has autheticated. If so and the configurable timeout has not
expired, the packet flows. If not ...
Send something back to the browser to indiacte that the
user must supply some authetication.
The browser then sends something back which the PIX interprets
as authentication information, checks the database and allows
or denies access to the IP address from which the packets
came.
It is this process in which I need more information. There seem to
be several shortcomings on this sort of authentication based on IP.
Consider sites using DHCP. It is possible that someone not
allowed internet access (it happens) gets a free IP that
is (by virtue of the fact the previous user authenticated).
Same thing goes for dialup users getting a previously
authenticated IP with time still left on the Pix meter.
Consider multi-user hosts. Only the first person through the
firewall needs to authenticate - everyone else travels on that
same "ticket".
This last point tends to indicate that the browser sends nothing
to the PIX in the normal HTTP stream and that the authentication is
done by a separate application (Java?) on the user's machine. This
then brings problmes with people running Lynx (there are some still)
or hosts not supported by PIX's "authentication client".
Waiting for info ...
Colin
Follow-Ups:
|
|
