From: Kal Han (calikali2006@gmail.com)
Date: Wed Nov 22 2006 - 23:20:52 ART
I think they are a different from each other.
From what I know IOS auth-proxy can be invoked only by http.
( I dont think ftp or telnet can invoke ios auth-proxy )
PIX auth-proxy can be invoked by any interactive protocol
in terms of entering username/password
( like http, telnet, ftp , https )
Rest of them can ONLY be done by virtual telnet or http.
(but its still possible to block anything that not authenticated,
unlike IOS auth-proxy)
You can have a match any access-list for authentication.
But it cannot authenticate anything other than the above protocols.
so you are left - unreachable.
When you try to connect to services running on say port 12345
you will get an error message similar to "needs authentication but
cannot authenticate service" ( para-phrased)
Thats when you configure virtual telnet. ( similar to lock and key acls
in IOS )
IOS is very simple in this(auth-proxy) matter and will start with http
traffic.
And it will allow the rest. You cant controll->access the rest of
the traffic with auth-proxy.
where as with pix, you can controll->access of virtually all kinds of IP
traffic.
Thanks
Kal
On 11/22/06, Lab Rat #109385382 <techlist01@gmail.com> wrote:
>
> Just trying to understand the fundamental differences between the two.
>
> It seems that IOS is limited to authenticating against:
>
> - FTP
> - HTTP
> - TELNET
>
> While PIX can auth-proxy can--technically--match any traffic using the
> "aaa
> authentication match" command?
>
> I've been configuring both in isolated lab scenarios over the past few
> weeks
> and I guess the two ideas are starting to intersect in my mind.
>
> I'm curious as to the detailed differences between the two...I will
> continue
> reading the Doc CD on this, but maybe someone had some basic principles
> they
> could share...?
>
> Thanks,
>
> Ed
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART