[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Summary: Problems with ACE 5.0 after upgrade from 3.3.1
PROBLEM SUMMARY In ACE 5.0 Master and Checkpoint FW1, or ACE 3.3.1 or 4.0 client, an "Acting Server" must be defined in the 5.0 sdconf.rec and put on the ACE agent/client. PROBLEM SUMMARY In ACE 5.0 and multi-NIC agent/client, the hostname, which is the primary address, MUST be the NIC that is used to communicate with the ACE master when using ACE 5.0 agent/client software. FIX-WORKAROUND -- Assign Acting Servers (preferred) Assign Acting Servers for the FW agent/client on ACE 5.0 master Generate Config File (sdconf.rec) Copy sdconf.rec to FW agent/client rm /var/ace/securid or /opt/ace/data/securid generate node secret via authentication Tested FW1 SP4, ACE 5.0 Server, I was able to demonstrate that SecuRemote works when "Assign Acting Server". This is the preferred fix since Checkpoint is probably not using the ACE 5.0 libraries. I demonstrated that the ACE 3.3.1 sdshell and the ACE 4.0 sdshell work when the Acting Server is defined. It also works whether the hostname is the external or the internal interface of the firewall. In my 3.3.1 environment, the hostname is the external interface and the interface used communicating with the ACE master is the internal interface/secondary address. This does NOT work for ACE 5.0 agent/client software. FIX-WORKAROUND -- Move hostname to internal interface. Associate the hostname with the interface that is used to communicate with the ACE master. I demonstrated that ACE authentication works with 5.0 sdshell when the hostname is on the internal interface. This is the only workaround that works for ACE 5.0 agent/client software. BUT, the firewall users older libraries, to the firewall will authenticate, repeatedly, if Acting Server is defined. After upgrading my ACE master (Securid) from v 3.3.1 to 5.0 SecuRemote authentication at the firewalls failed. I also used /opt/ace/prog/sdshell on the firewall to test the authentication in a simpler (non-firewall) environment and to generate the node secret. The problem is that ACE 5.0 sdshell works ONCE to generate the node secret, but fails on the second or later use, because the node secret is not correct. 08/29/2001 22:58:38U --------/diamond2 ---->/ 08/29/2001 17:58:38L Node verification failed t-hedron.adc.com greg _______________________________________________________________ Greg Polanski mailto:[email protected] ADC Telecommunications, IncMSFAX PO Box 1cell/pager Minneapolis, MN [email protected] _______________________________________________________________ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|