RE: [FW1] Client Auth/Redirect on Fail

[Thomas.Poole@FW1-NOSPAMgecits.ge.com]

Title: Client Auth/Redirect on Fail

You must do user authentication + client authentication together. I have several customers that are doing this.

Basically, if you use user auth by itself, it will authenticate on every new URL, although using http proxy will allow this.

 

If you use a user auth rule first, followed by a partial automatic client auth rule, if the user fails to authenticate, then there will be a not authenticated screen presented by fw-1.

 

Thomas Poole

-----Original Message-----
From: Mills, Paul [mailto:Paul.Mills@americredit.com]
Sent: Thursday, September 07, 2000 4:58 PM
To: 'fw-1-mailinglist@lists.us.checkpoint.com'
Subject: [FW1] Client Auth/Redirect on Fail

Hey list!  Here's my problem...

I'm running VPN-1 4.1 SP1 on AIX for Production and VPN-1 4.1 SP1 on NT for Testing.  Not ideal, but...
In a lab environment I have successfully implemented two independent rule setups:
1) Client Authentication (Partially Automatic) for allowing only authorized users HTTP and HTTPS internet access
2) HTTP redirect to a "No no" page if users HTTP to somewhere that is not implicitly allowed by the firewall.

Now I need to try to use them both together...but I'm having trouble doing that.  I've checked Phoneboy's most excellent site and I don't see any pages that refer to what I'm trying.  I know you can do this (sort of) with User Authentication, but we can't use User Auth. because the method of internet access authentication won't support it.  It looks like the 401 error page that is generated from a failed Client Auth. is generated by the firewall itself and a reference to that on Phoneboy states that there is no way to change that unless you hack the kernel...something I can't do.

Has anyone else tried this before and was it successful?

Thanks,

Paul Mills
Data Security Analyst
CCSA, CCSE
//AMERICREDIT CORPORATION
paul.mills@americredit.com

#27:  The data on your hard drive is out of balance.