[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] RADIUS Setup
Patrick, > I get no loggin message on the RADIUS server about authentication > even being attempted, but I get the following in the firewall logs: > reject rule 0 reason Refused Topology request. > Authentication scheme not allowed for user. This error message indicates that you have turned off the property Respond to Unauthenticated topology downloads but have NOT enabled IKE authentication for the generic* user. You have two options: 1: Enable unauthenticated topology downloads 2: Use Hybrid mode IKE The password used for topology download is assigned in the IKE tab for the generic* user (Encryption/IKE, Authentication tab). It will be the same for ALL users authenticated by Radius. (Note that this REQUIRES IKE to be enabled). Radius will NOT be used to validate this password. The Radius password is used for the SecuRemote encrypted session, for either FWZ or for Hybrid mode IKE. -- Timothy Frost mailto:[email protected] EDS New Zealand Fax: +64-4-495-0473 8 Gilmer Terrace Phone: +64-4-495-0504 P O Box 3647 Wellington New Zealand -----Original Message----- From: Patrick Baird [mailto:[email protected]] Sent: Sunday, March 18, 2001 3:42 AM To: '[email protected]' Subject: [FW1] RADIUS Setup All, FW-1 4.1 SP3 NT sp6a RADIUS - W2k IAS I have defined the following: Firewall Object: Authentication Tab - RADIUS I have defined a network object for my RADIUS server (Call it Radius1) I have created a RADIUS server object - entered the shared secret - I have selected RADIUS V2.0 I have created a RADIUS Group object, and placed the above RADIUS Server object in it. I have created the generic* user, added RADIUS, with my RADIUSServer group. I have added the generic* user to the appropriate SR group for rule definition. I have unchecked the 'allow fw-1, blah, blah connections' in the properties pane and have defined the appropriate connection rules manually (topo,key,IKE,mgmt, etc...->they all work) Before my stealth rule I have added the following rule: FW Radius1 UDP RADIUS Accept Long SRC On the w2k IAS server, I have added the FW object for authentication and enabled it in active directory. The server does appear in the RAS & IAS Servers group. The user does have RAS access enabled I get no loggin message on the RADIUS server about authentication even being attempted, but I get the following in the firewall logs: reject rule 0 reason Refused Topology request. Authentication scheme not allowed for user. 1 Question, do I need the routing and remote access service running on the IAS machine? If I switch to fw-1 password on the firewall object, my SR rules work fine. Can someone please tell me what I'm missing, I'm going crazy!!!! thanks in advance. PDB ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|