Virtual HTTP
With cut-through proxy affidavit enabled for Web cartage (HTTP), users
may acquaintance some problems aback abutting to Web sites that run Microsoft
IIS with Basic Affidavit or NT Claiming enabled.This is an affair when
the Web server requires altered login accreditation from the PIX firewall’s AAA
server.When application HTTP affidavit on a Microsoft IIS Web armpit with Basic
Authentication or NT Claiming enabled, the browser appends the string
“Authorization:Basic=Uuhjksdkfhk==” to the HTTP GET commands. Since
this cord contains the PIX affidavit accreditation and not the IIS authentication
credentials, the user is denied admission unless the user’s AAA username and
password bout those authentic on the Web server.
To get about this issue, the PIX firewall provides a basic HTTP feature.
The Web browser’s antecedent affiliation is redirected to the basic HTTP IP
address on the PIX firewall.The user is afresh authenticated, and the browser is
redirected to the absolute URL that the user requested.Virtual HTTP is transparent
to users.To ascertain a basic HTTP server, use the afterward command:
virtual http
The ip_address constant specifies an bare IP abode that is baffled to the
PIX firewall.The acquaint keyword lets users apperceive that their appeal was redirected
and is alone applicative for browsers that cannot alter automatically.
For example, to accredit basic HTTP application the IP abode 10.5.1.15, use the
following command:
PIX1(config)# basic http 10.5.1.15
Figure 5.34 illustrates the arrangement of contest that action aback basic HTTP
is enabled.
The accomplish articular in Figure 5.34 are declared here:
1. The Web browser sends an HTTP appeal to the Web server.
2. The PIX firewall intercepts the affiliation attack and replies with an
HTTP 401 Authorization Required response.
3. The Web browser receives the acknowledgment from the firewall and ancestor up a
dialog box for the user to access the username and password.The user
enters the username and countersign and presses OK.
4. The Web browser resends the aboriginal HTTP appeal with the username
and countersign anchored as a base64 encoding of “username:password”.
The absolute acreage looks agnate to the following:
www.syngress.com
Authentication, Authorization, and Accounting • Chapter 5 267
Authorization: Basic ZnJlZDp0aGF0cyBtZQ==
where ZnJlZDp0aGF0cyBtZQ== is the base64 encoded “username
:password” pair.
5. The PIX firewall receives the HTTP appeal and splits it into two
requests: the AAA affidavit appeal that contains the username and
password and the aboriginal HTTP appeal after the username and
password.
6. The PIX firewall sends the AAA affidavit appeal to the AAA
server.
7. The AAA server attempts to accredit the user with the provided
username and countersign and sends an ACCEPT or REJECT message.
8. Assuming that the user accurate successfully, the PIX firewall will
then advanced the aboriginal HTTP appeal (without the username and
password) to the Web server. If the Web server requires its own authentication,
it will accelerate its claiming aback to the user.
With basic HTTP enabled, already the user has authenticated, he or she will
never accept to accredit afresh as continued as there is a Web browser instance active.
The uauth timer will not expire, because every consecutive Web appeal will
include the encoded and anchored username and password.
www.syngress.com
Figure 5.34 Basic HTTP Operation
1
3 5
PIX Firewall
AAA
Server
Web
Server
Internet
Client
2
4
6 7
8
268 Chapter 5 • Authentication, Authorization, and Accounting
WARNING
Do not set the uauth timer to 0 if basic HTTP is enabled, because doing
so will anticipate access to the requested (real) Web server.
Use the appearance basic http command to appearance the agreement and the no
virtual http command to attenuate the use of basic HTTP.