NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] User auth question



some some quick thoughts

You need to have another group with the non x-limited users in it. You could
use LDAP off another and internal ldap server to achieve this rather than
type all in.

 Also have a read on the negate option when adding a group to the rule

-----Original Message-----
From: Adams, Gavin [mailto:[email protected]]
Sent: Friday, 23 February 2001 7:44 AM
To: [email protected]
Subject: [FW1] User auth question



Greetings all,

I have a SR community using digital certs (IKE) to authenticate, and the
generic* user so I don't have to create individual user accounts on the
fw. However, I now need to create a second client encrypt rule to limit
certain SR users to a subset of resources. I've attempted this by only
creating those users that I want to encrypt on a different rule. All the
regular users still match against the generic user.

However, all users, including the ones created on the fw, are triggering
on the rule that has the generic user. Here's the config:

Users:
Generic*	member of AllUsers group
x-limited	member of Limited group


Rules on the firewall:

Rule	src		dst	protocol		action
4	Limited@any	serverA	http		client encrypt
5	AllUsers@any	any	any		client encrypt

when x-limited authenticates and attempts to connect to a resource in
the encryption domain, the rule that is triggered is rule 5, not rule 4.
This even when genric* only is the only member of AllUsers.

Should this work? If not, any pointers?

Regards,

--- Gavin



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====
***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.