How to force authentication through PIX for ftp

[Prodigus]

Ok, so I'm trying to go live with my new Pix 525/websense combo and I have this last little beast to work out.

FTP

With the latest verion of PIX (6.3) you "can" direct ftp traffic at the Websense server. Unfortunately that will only take care of authorization and not authentication. It just lets them go if the ftp "protocol" is allowed for the group they're in. Not acceptable!

I need to be able to put people into an NT group that have permission to ftp outbound and have them authenticate through the firewall in order to do it.

The direction I've been attempting is pointing my radius box to the NT group and the PIX to the radius server. I get prompted for authentication now but it's for the site I'm ftp'ing to not the firewall/Radius. All I have to do is check the logon as anonymous box and out I go. Before I put the lines in the pix it just let me go staright through which is also unacceptable. I must have something done wrong or am going the wrong way with this.

Here's the lines I have in the pix for it....

(config)# aaa-server \\bmgs\ftp protocol radius
(config)# aaa-server \\bmgs\ftp (inside) host 129.109.1.1 <shared secret> timeout 5
(config)# access-list ftpauth permit tcp any any eq ftp
(config)# aaa authentication match ftpauth inside \\bmgs\ftp

Any ideas on how I can do this successfully?

Thanks!!!!

 

[Prodigus]

Ok, so now I see that the PIX is actually sending packets to the RADIUS server.

Unfortunately the RADIUS server is denying it based on the fact that the PIX is sending it a username of anonymous and a blank password. I want it to prompt me for credentials....

I also can't figure out why it goes ahead and lets me out after I just click the logon anonymously box that DOES pop up..... (btw, the RADIUS server gets the anonymous username BEFORE I check that box and click ok so that can't be it.....