Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Anyone an expert with FW1 Session Auth Agent and TACACS?

To: <[email protected]>, <[email protected]>, <[email protected]>
Subject: [FW1] Anyone an expert with FW1 Session Auth Agent and TACACS?
From: "Carl E. Mankinen" <[email protected]>
Date: Wed, 25 Apr 2001 10:06:07 -0400
Sender: [email protected]

(I previously posted this, but it appeared to have bounced for some reason, apologies if you get this twice)

I have searched all the FAQ's and docs (checkpoint pdfs etc) and from what I can tell it looks like I am screwed.

What I want to do is use my CiscoSecure TACACS server to handle authentication for a variety of flows thru my fw1. I have all the
evil OS/Password features of the fw1 removed, so I am using the remote database/nt domain integration feature of CiscoSecure to
handle my domain authentication.

I would like to use the FW1 Session Authentication Agent on internal hosts and have the users input their domain login credentials
and have the FW-1 pass this info along to my TACACS server where they are verified. The problem is that I cannot seem to get the
Agent to accept any usernames other than those IMPLICITLY defined in my FW1 objects. (manage->users)

If I have a user "JoeBlow" defined in manage->users, the fw1 will then query my TACACS server and I see logs that JoeBlow logged in,
or had invalid password etc etc.

If I then login with "JaneDoe" (a user that exists in my NT DOMAIN), the session authentication agent immediately barks back
"Invalid User" and looking at my TACACS server, it never even passed thru the authentication request. I know my TACACS server is
working fine (its working for a variety of stuff already) and I know that it queries my domain controller correctly.

Is there some magic to setting up a user in the manage->users dialog for it to match Anyone?
I would think if you selected "All users@any" as your source in your session auth rule, that it would allow any username to be
passed to the the authentication server. Instead, it looks like it looks for users defined in FW1 and then attempts to contact the
authentication server to check their password validity..

During certification I seem to remember being told that this was a limitation of FW1 and that you had to use LDAP and the UAM if you
wanted to get around it, but I was hoping this was not the case. Can anyone here confirm my assumptions?

I was really hoping to just have some of the NT admins simply put people into a group membership to give them access to particular
session auth rules without requiring me to do any extra work on the firewall.






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Multiple authentication methods in VPN?
Next by Date: RE: [FW1] Firewall-1 on Solaris 8
Previous by thread: [FW1] Multiple authentication methods in VPN?
Next by thread: RE: [FW1] Firewall-1 on Solaris 8
Index(es):
- Date
- Thread