Re: [FW-1] VPN Authentification

[Bob Brandt <bbbrandt@FW1-NOSPAM3M.COM>]

Amaury,

We experienced this same dilema with FW-1.   It was about 4 years ago,
however, so I don't know if the same
problem still exists.

We ended up going with a Nortel Contivity solution for client VPN services.
It allows you to set up lots of customized access-lists (based on groups) on
the Contivity gateway.   You can authenticate users in one of 2 ways (native
LDAP   or   Radius).   Either way, based on a group the user belongs to, the
groupname gets passed back to the VPN box, and it uses the access-list
define for that groupname to restrict what a user can do.    In the case of
radius, the groupname is passed back as a value of the generic radius Class
attribute.  The form it needs to take is "ou=groupname".

This may not help your FW-1 situation, but it might at least be comforting
to know that others have experienced this same frustration.

Feel free to send me an email if you want more information.

Bob Brandt, 3M, bbbrandt@mmm.com

----- Original Message -----
From: "Amaury de Ville" <fw-1@SKYNET.BE>
To: <FW-1-MAILINGLIST@beethoven.us.checkpoint.com>
Sent: Friday, May 10, 2002 7:02 AM
Subject: [FW-1] VPN Authentification


> Hello people,
>
> I have a small dilema, I would like to have different types of access
> depending on authentification.
> We are currently using RADIUS authification for our VPN access, at fist I
> was thinking of using radius attributes to define the type of access users
> would get when connecting but I don't think FW1 supports it (If I am wrong
> please let me know). A second solution was to use multiple radius servers
> (one for each type of access), so each VPN user group would have a
specific
> rule (with different access) using a different radius server. My problem
is
> that I use generic* to forward all auth requests to the radius server, but
I
> can only use generic* once (which means I can't define multiple instances
of
> generic* with different authentification servers and thus create multiple
> rules with different access depending on authentification server used). If
> anyone has any idea how to use multiple authentification schemes using the
> generic* user I would be very interested in knowing. I know I can create
> user groups without using generic* but we would then have to manage
multiple
> user databases (one on the radius server for the authentification and one
on
> FW1 for defining access).
>
>
> Thanks for your help,
>
> Amaury de Ville
> Security Engineer
> Belgacom Skynet
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to LISTSERV@lists.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner@ts.checkpoint.com
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================