[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Securemote and Radius
We do something like this. We use Radius to authenticate with a Domain Group and we use the regular user's ID for their ID (ex. paulm for both) but we have defined four (so far) groups that we can assign users to. Group1=Intranet and Mail Group2=Group1+AS/400 Group3=Group2+Timeclock system ...and so on up to a group that has full access to the world, which only the firewall administrators have access to. When you color coordinate and use standard names (G1-Basic, G2-Common, etc.) it's really easy to hand off to someone to manage the users only while administrators maintain control of the rules. Happy Holidays! Paul Mills CheckPoint Certified (CCSA, CCSE) Senior Data Security Analyst-Firewall Group -----Original Message----- From: Richard Marshall [mailto:[email protected]] Sent: Thursday, December 13, 2001 4:35 AM To: [email protected] Subject: Re: [FW-1] Securemote and Radius I don't think that Radius is quite going to do what you want. As mentioned in an earlier reply, you need to have a generic* user to authenticate against radius. You can only assign this user to one set of acccess rules. Here i use radius for general users, and give admins specific FW-1 passwords so that we can have different access rights. I can't see a way of having more access leves than this, unless you have a different type of authentication for each group. (even then, i think you need to use the generic* user object for all types of authentication that don't take place directly against the firewall. hope this helps. rich -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Tim Anderson Sent: 12 December 2001 14:02 To: [email protected] Subject: Re: [FW-1] Securemote and Radius Assuming you are using Checkpoint you can create a user called generic star and point him to your RADIUS server to achieve your desired result. I would suggest using a Win2k machine that belongs to your domain running the IAS service (which provides RADIUS as an option). This is what we are doing and it works great! Regards, Tim Anderson -----Original Message----- From: Francois Dessart [mailto:[email protected]] Sent: Wednesday, December 12, 2001 3:40 AM To: [email protected] Subject: [FW-1] Securemote and Radius Hello, I would like to use VPN Securemote on my firewall. However I have a lot of users and they have to get different rights when connecting to the gateway with securemote. I would like to use Radius or LDAP. Is it possible (and how) to define several different groups using Radius or LDAP attributes, without enumerating all users in my policy editor? Thanks for your help. ------------------------------------------------------ Francois DESSART Network Engineer - SEGI/ULG ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] ================================================= ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] ================================================= ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] ================================================= ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] =================================================
|