NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] User auth question



That's the strange part, I do have two separate groups (in this example
AllUsers and LimitedUsers). For whatever reason, the generic* user is
being matched on all auth requests. Removing generic* and adding
individual accounts to the firewall resolved the problem. 

According to the docs, if the username appears in the fw-1 user list, it
overrides generic*. I'm doing something wrong, be damned if I know what
it is... yet. ;-)

--- Gavin

 -----Original Message-----
From: 	Dean Cunningham [mailto:[email protected]] 
Sent:	Thursday, February 22, 2001 18:02
To:	Adams, Gavin; '[email protected]'
Subject:	RE: [FW1] User auth question

some some quick thoughts

You need to have another group with the non x-limited users in it. You
could
use LDAP off another and internal ldap server to achieve this rather
than
type all in.

 Also have a read on the negate option when adding a group to the rule

-----Original Message-----
From: Adams, Gavin [mailto:[email protected]]
Sent: Friday, 23 February 2001 7:44 AM
To: [email protected]
Subject: [FW1] User auth question



Greetings all,

I have a SR community using digital certs (IKE) to authenticate, and the
generic* user so I don't have to create individual user accounts on the
fw. However, I now need to create a second client encrypt rule to limit
certain SR users to a subset of resources. I've attempted this by only
creating those users that I want to encrypt on a different rule. All the
regular users still match against the generic user.

However, all users, including the ones created on the fw, are triggering
on the rule that has the generic user. Here's the config:

Users:
Generic*	member of AllUsers group
x-limited	member of Limited group


Rules on the firewall:

Rule	src		dst	protocol		action
4	Limited@any	serverA	http		client encrypt
5	AllUsers@any	any	any		client encrypt

when x-limited authenticates and attempts to connect to a resource in
the encryption domain, the rule that is triggered is rule 5, not rule 4.
This even when genric* only is the only member of AllUsers.

Should this work? If not, any pointers?

Regards,

--- Gavin



========================================================================
====
====
     To unsubscribe from this mailing list, please see the instructions
at
               http://www.checkpoint.com/services/mailing.html
========================================================================
====
====
***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.