Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] generic* for SecurID with SecureClient

To: [email protected]
Subject: Re: [FW-1] generic* for SecurID with SecureClient
From: Magnus Sandberg <[email protected]>
Date: Fri, 12 Apr 2002 09:51:22 +0200
Comments: cc: [email protected]
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hej!

Yes, it works with non generic* users. The generic* user has everything
setup as the users that works, except that the generic* user doesn't have an
expiration date which the regular test users has. In the policy properties
we have defined "Allow Outgoing & Encrypted" in Desktop Security.

When I use my test user SecureClient says

    "User <login> authenticated by SecurID"

where <login> of cause is the login name.
And the policy in the SecureClient is set to "Allow Outgoing & Encrypted"

The log then has the following lines;
accept IKE from the SecureClient host to the firewall
authcypt of the user, authenticated by SecurID, scheme IKE
key install IKE Log: Phase 1
key install IKE methods: ESP: 3DES + SHA1 (Phase 2)
and finally decrypt of protocols used by the user

We have tested this for over a week and it works fine. It's more or less
like the SecureClient computer was attached to out internal networks.



When I remove the test users and add generic* to the group we use in the
rulbase I get this;

I still use the same login name, as it is one defined in the SecurID server,
I get this response within the SecureClient program;

    "User <login> authenticated by SecurID


     The security policy on you computer has
     been removed.
     You are no longer authorized to have a
     policy!"

All this in the same pop-up window.
The policy in the SecureClient has changed to "Allow All"

The log then has the following lines;
accept IKE from the SecureClient host to the firewall
deauthorize user, reason: Lost policy
authcypt of the user, authenticated by SecurID, scheme IKE
key install IKE Log: Phase 1
key install IKE methods: ESP: 3DES + SHA1 (Phase 2)
and now dropping all protocols from SecureClient host by last drop rule
(No relevant information in the "Info" field in the log, just len XX)



My conclusion is that generic* user  passes on the authentication to SecurID
and that works fine. But for some reason the firewall don't apply the
SecureClient policy for the generic* user and then the firewall can't accept
connections as the policy is missing.

What have we done wrong?


                                  _\\|//_
                                  (-0-0-)
/-------------------------------ooO-(_)-Ooo------------------------------\
| Magnus Sandberg                    Email: [email protected]  |
| Network Engineer, BlueLabs AB                  http://www.bluelabs.se/ |
| Phone: +46-8-470 2155                             FAX: +46-8-470 2199  |
\------------------------------------------------------------------------/
                                  ||   ||
                                 ooO   Ooo



 ----- On the 11th of April 2002 Lars Troen wrote; -----

Magnus,
Yes, it should work. You should recheck your configuration. Check that the
generic* user has correct encryption settings. What is your error messages?
Does it work with a different non generic* user?

Lars

> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[email protected]]On Behalf Of Magnus
> Sandberg
> Sent: Thursday, April 11, 2002 10:31
> To: [email protected]
> Subject: [FW-1] generic* for SecurID with SecureClient
>
>
> Hi,
>
> I have a question about the use of generic*
>
> Today we use the "generic*" user to define SecurID authentication for
> "User Auth" to access some web server from the Internet. That works fine.
>
> We're just starting to use SecureClient (Client Encrypt) for access from
> the Internet. We have defined some test users and these users are defined
> to use SecurID. We have activated the "hybrid mode" and SecurID
> works fine.
> Our problem is that we can't get the "generic*" user to work together with
> SecureClient. Shouldn't that work or have we done something wrong?
>
> We're running FW-1 V4.1 SP2.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Miss Matched SP versions
Next by Date: Re: [FW-1] Securemote client connection fails to connect VPN-1.
Previous by thread: Re: [FW-1] generic* for SecurID with SecureClient
Next by thread: [FW-1] AW: [FW-1] Outbound CVP
Index(es):
- Date
- Thread