Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecurID

To: [email protected]
Subject: Re: [FW-1] SecurID
From: "Loesch, John" <[email protected]>
Date: Thu, 28 Feb 2002 07:16:15 -0500
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Normally, when the Ace Server issues a "Node Verification Failed", RSA's
help says:

---------------------------------- RSA Help File
---------------------------------------
        To solve the problem, remove the node secret file on the Agent Host.
If the file exists, it can be found in the %SystemRoot%\system32 directory
(on a Windows NT or Windows 2000 machine), or in the ACEDATA directory (on a
UNIX machine) under the authentication service name specified in the
services file or a name server. On a Windows NT or Windows 2000 machine, the
services file is in the %SystemRoot%\system32\drivers\etc directory, and on
a UNIX machine, the services file is in the /etc directory. The default name
of this file is securid.

        After removing the node secret file or verifying that it does not
exist, run the Database Administration application, and select Edit Agent
Host from the Agent Host menu. Turn off the Sent Node Secret checkbox. The
node secret file will be re-sent to the Agent Host the next time there is a
successful authentication on the Agent Host.
This message is also logged under the following circumstances:

        ·       There may be a mismatch between the encryption value in the
sdconf.rec file (or other configuration method) on the Agent Host and the
encryption type in the Agent Host record.

If the encryption type is set incorrectly in the Agent Host record, use Edit
Agent Host on the Agent Host menu to change the setting. If the setting in
the sdconf.rec file is incorrect, refer to Distributing the Configuration
Update for instructions to provide a new configuration file to the Agent
Host.

        ·       A remote user attempts to authenticate on an enterprise
authentication Agent Host before a successful authentication by a local user
has created the node secret. In the case where the user is not activated on
the Agent Host and the node secret is not established, User Not on Agent
Host is logged along with the Node Verification Failed message.
        ·       A remote user attempts to authenticate on an enterprise
authentication Agent Host before a successful authentication by a local user
has created the node secret. When the user is not activated on the Agent
Host and the node secret is not established, User Not on Agent Host is
logged along with the Node Verification Failed message.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ RSA Help File
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

My experience has been that the Sent Node Secret checkbox is grayed out for
us (Version 5) so running the Database Admin program isn't the way to
regenerate the node secret.  I log into the Agent node and attempt to
reauthenticate and that generally causes the new node secret to be sent.

-----Original Message-----
From: Don [mailto:[email protected]]
Sent: Wednesday, February 27, 2002 8:34 PM
To: [email protected]
Subject: Re: [FW-1] SecurID


> SecurID Authentication is not supported on the Nokia IP Applications
> appliance in NG FP1 release. The only workaround is to configure the
> SecurID (ACE) server as a RADIUS server and change the authentication
> scheme of the user to RADIUS with shared secret.
Now this is even more maddening.

I have configured my firewall on the ACE server. The ACE server is
configured for RADIUS. The firewall is configured for RADIUS. They both
have the same shared secret.

Any attempts to login to the firewall result in an entry in the ACE logs
stating: "Node Verification Failed." The RADIUS server works (we use it
for a dial in server) and the account I am testing works (As I can test
this using the ACE test agent).

This is a 4.1 ACE server running RADIUS on UDP 1645. The CheckPoint is
configured to use RADIUS (Both v1 and v2 were tested) with the RADIUS
service (UDP 1645).

I see the communications between the two systems in a tcpdump.

Can anyone suggest some troubleshooting tips?

Thanks,
-Don

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] AW: [FW-1] Multiple TACACS Server
Next by Date: [FW-1] Preparing for an IPSO kernel patch
Previous by thread: Re: [FW-1] SecurID
Next by thread: [FW-1] CPFW-1 files before upgrade
Index(es):
- Date
- Thread