[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] IAS+W2K authentication
Dan, today i made the IAS+W2k works with FW1. i discovered that the fw1 send the request to IAS using PAP, but the default of IAS is MS-CHAP and MS-CHAP v2 so a checked to use PAP too. Now i'd like to know if it's possible to change from PAP to another like MS-CHAP on FW1, because PAP isn't encrypted. Another problem is the authenitcation type, i explain. If i use User authentication in HTTP access, i need to authenticate wich site or link. If i use client authenticaon with automaic logon(it works like User Autnetication but authenticate the IP) i get Dr. Watson in FW.exe. For me the best solution is client authentication working like User authentication but with Dr. Watson i can't. Did you see anything like this?? best regards, Leonardo -----Original Message----- From: Dan Hitchcock [mailto:[email protected]] Sent: Segunda-feira, 6 de Novembro de 2000 19:51 To: Mangelli, Leonardo Cc: '[email protected]' Subject: RE: [FW1] os password and nt authentication IAS is much simpler to set up in Win2k than it is in NT4, and it ships on the Win2k CD (add/remove programs -> add/remove windows components). I've successfully implemented Hybrid-mode SecuRemote auth using Win2k IAS. Not sure if that addresses the issue at hand, but for what it's worth... Dan Hitchcock CCNA, MCSE Network Engineer Xylo, Inc. (formerly employeesavings.com)The work/life solution for corporate thought leaders -----Original Message----- From: Mangelli, Leonardo [mailto:[email protected]] Sent: Monday, November 06, 2000 2:13 PM To: 'Dean Cunningham' Cc: '[email protected]' Subject: RE: [FW1] os password and nt authentication Dean, i considered the first option but the customer doesn't want to use a proxy. About the second option, i know that it works with NT4.0 but in my environment the customer is using W2k and until now didn't work. do you have the procedures to configure IAS for NT4.0?? best regards, Leonardo S.L. Passeri Mangelli Infrastructure Services - COMPAQ Brazil Phone: 55-21-277-6180 e-mail:[email protected] nosso site:http://www.compaq.com -----Original Message----- From: Dean Cunningham [mailto:[email protected]] Sent: segunda-feira, 6 de novembro de 2000 18:30 To: Mangelli, Leonardo Cc: '[email protected]' Subject: RE: [FW1] os password and nt authentication 1) Install MS proxy server or CSM http://www.csm-usa.com/ Point the 400 users (or even all of them) Internet explorer to it and you can then contol access via NT Groups Teh firewall then only has to be setup to allow HTTP out from teh proxy server. The proxy sserver takes care of the authentication. You also get detailed logging via the proxy server of sites accessed via the username.... 2) FW supports a RADIUS server. IAS that comes with NT option pack 4 can use multiple domains so long as trusts are set up between the domains. It needs to only be a one way trust. cheers Dean -----Original Message----- From: Mangelli, Leonardo [mailto:[email protected]] Sent: Tuesday, 7 November 2000 2:27 AM To: 'c' Subject: [FW1] os password and nt authentication Importance: High Hi, i have a customer that would like to use NT authentication for the http services, but only for a restric group. As i saw in the documentation he has to join the firewall machine in the domain and after that he can choose two options: 1 - create a user called "generic*" to authenticate all user in a external database (Nt domain) 2 - create account by account in the firewall for it check in the PDC My questions are: 1- If my customer has 1000 user accounts in the NT domain but only 400 user can access the http service. How can i restrict the access to permit only the 400 to pass through the firewall authenticating. The only way for me is create the 400 account one by one in the firewall, but it's crazy. 2- Does the FW-1 support OS password authetication for multiple NT domains??? Leonardo S.L. Passeri Mangelli Infrastructure Services - COMPAQ Brazil Phone: 55-21-277-6180 e-mail:[email protected] nosso site:http://www.compaq.com ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== *************************************************** This e-mail is not an official statement of the Waikato Regional Council unless otherwise stated. Visit our website http://www.ew.govt.nz *************************************************** ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|