[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] generic* for SecurID with SecureClient
Hej! Yes, it works with non generic* users. The generic* user has everything setup as the users that works, except that the generic* user doesn't have an expiration date which the regular test users has. In the policy properties we have defined "Allow Outgoing & Encrypted" in Desktop Security. When I use my test user SecureClient says "User <login> authenticated by SecurID" where <login> of cause is the login name. And the policy in the SecureClient is set to "Allow Outgoing & Encrypted" The log then has the following lines; accept IKE from the SecureClient host to the firewall authcypt of the user, authenticated by SecurID, scheme IKE key install IKE Log: Phase 1 key install IKE methods: ESP: 3DES + SHA1 (Phase 2) and finally decrypt of protocols used by the user We have tested this for over a week and it works fine. It's more or less like the SecureClient computer was attached to out internal networks. When I remove the test users and add generic* to the group we use in the rulbase I get this; I still use the same login name, as it is one defined in the SecurID server, I get this response within the SecureClient program; "User <login> authenticated by SecurID The security policy on you computer has been removed. You are no longer authorized to have a policy!" All this in the same pop-up window. The policy in the SecureClient has changed to "Allow All" The log then has the following lines; accept IKE from the SecureClient host to the firewall deauthorize user, reason: Lost policy authcypt of the user, authenticated by SecurID, scheme IKE key install IKE Log: Phase 1 key install IKE methods: ESP: 3DES + SHA1 (Phase 2) and now dropping all protocols from SecureClient host by last drop rule (No relevant information in the "Info" field in the log, just len XX) My conclusion is that generic* user passes on the authentication to SecurID and that works fine. But for some reason the firewall don't apply the SecureClient policy for the generic* user and then the firewall can't accept connections as the policy is missing. What have we done wrong? _\\|//_ (-0-0-) /-------------------------------ooO-(_)-Ooo------------------------------\ | Magnus Sandberg Email: [email protected] | | Network Engineer, BlueLabs AB http://www.bluelabs.se/ | | Phone: +46-8-470 2155 FAX: +46-8-470 2199 | \------------------------------------------------------------------------/ || || ooO Ooo ----- On the 11th of April 2002 Lars Troen wrote; ----- Magnus, Yes, it should work. You should recheck your configuration. Check that the generic* user has correct encryption settings. What is your error messages? Does it work with a different non generic* user? Lars > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]]On Behalf Of Magnus > Sandberg > Sent: Thursday, April 11, 2002 10:31 > To: [email protected] > Subject: [FW-1] generic* for SecurID with SecureClient > > > Hi, > > I have a question about the use of generic* > > Today we use the "generic*" user to define SecurID authentication for > "User Auth" to access some web server from the Internet. That works fine. > > We're just starting to use SecureClient (Client Encrypt) for access from > the Internet. We have defined some test users and these users are defined > to use SecurID. We have activated the "hybrid mode" and SecurID > works fine. > Our problem is that we can't get the "generic*" user to work together with > SecureClient. Shouldn't that work or have we done something wrong? > > We're running FW-1 V4.1 SP2. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|