Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] RADIUS Setup

To: "'[email protected]'" <[email protected]>
Subject: RE: [FW1] RADIUS Setup
From: "Frost, Timothy E" <[email protected]>
Date: Mon, 19 Mar 2001 14:28:41 +1200
Sender: [email protected]

Patrick,


> I get no loggin message on the RADIUS server about authentication 
> even being attempted, but I get the following in the firewall logs:
>    reject rule 0	reason Refused Topology request.  
>			Authentication scheme not allowed for user.

This error message indicates that you have turned off the property 
	Respond to Unauthenticated topology downloads
but have NOT enabled IKE authentication for the generic* user.

You have two options:
1:  Enable unauthenticated topology downloads
2:  Use Hybrid mode IKE



The password used for topology download is assigned in the IKE tab for the
generic* user (Encryption/IKE, Authentication tab).  It will be the same for
ALL users authenticated by Radius.  (Note that this REQUIRES IKE to be
enabled).    Radius will NOT be used to validate this password.


The Radius password is used for the SecuRemote encrypted session, for either
FWZ or for Hybrid mode IKE.




-- 
Timothy Frost			mailto:[email protected]
EDS New Zealand			Fax: +64-4-495-0473
8 Gilmer Terrace		Phone: +64-4-495-0504
P O Box 3647
Wellington
New Zealand


-----Original Message-----
From: Patrick Baird [mailto:[email protected]]
Sent: Sunday, March 18, 2001 3:42 AM
To: '[email protected]'
Subject: [FW1] RADIUS Setup



All,

FW-1 4.1 SP3
NT sp6a

RADIUS - W2k IAS

I have defined the following:

 Firewall Object:	Authentication Tab - RADIUS
 I have defined a network object for my RADIUS server (Call it Radius1)
 I have created a RADIUS server object - entered the shared secret
 	- I have selected RADIUS V2.0
 I have created a RADIUS Group object, and placed the above RADIUS Server
object in it.
 
 I have created the generic* user, added RADIUS, with my RADIUSServer group.
I have added the generic* user to the appropriate SR group for rule
definition.

 I have unchecked the 'allow fw-1, blah, blah connections' in the properties
pane and have defined the appropriate connection rules manually
(topo,key,IKE,mgmt, etc...->they all work)

 Before my stealth rule I have added the following rule:
  FW	Radius1	UDP RADIUS	Accept	Long	SRC

 On the w2k IAS server, I have added the FW object for authentication and
enabled it in active directory.  The server does appear in the RAS & IAS
Servers group.  The user does have RAS access enabled

I get no loggin message on the RADIUS server about authentication even being
attempted, but I get the following in the firewall logs:
  reject rule 0	reason Refused Topology request.  Authentication scheme not
allowed for user.

1 Question, do I need the routing and remote access service running on the
IAS machine?

If I switch to fw-1 password on the firewall object, my SR rules work fine.

Can someone please tell me what I'm missing, I'm going crazy!!!!


thanks in advance.

PDB


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Resolving IP addresses to web site names
Next by Date: [FW1] Problems on installing VPN-1 SecuRemote Release of Version 4.1 SP 3 Hotfix on Windows 2000
Previous by thread: Re[2]: [FW1] RADIUS Setup
Next by thread: RE: [FW1] RADIUS Setup
Index(es):
- Date
- Thread