Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] [ FW-1] Checkpoint NG, and Cisco Secure ACS

To: [email protected]
Subject: [FW-1] [ FW-1] Checkpoint NG, and Cisco Secure ACS
From: Anders Fristedt <[email protected]>
Date: Thu, 6 Jun 2002 09:06:52 +0200
Importance: Normal
In-reply-to: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi,

I try to enable radius authentication from Checkpoint NG FP1 (solaris)
to Cisco ACS (NT) 2.4(1) (- about to be updated).

Radius server is correctly set up in FW-1 (workstation object, radius server,
shared secret, use of RADIUS standard port 1645 UDP).

RADIUS server is directly connected to one of FW interfaces. Previously
Cisco ACS has been running TACACS+, but as problems has arised with Cryptocard
and TACACS (and Checkpoint tells us that Cryptocard has not been OPSEC
licensed with TACACS+, but only RADIUS!!!), we want to change to RADIUS.

I've created a standard user, both in FW-1 DB and in CIsco ACS DB, with static
password. Of course the user in FW-1 has been definied with RADIUS authentication.
Radius authentication has been activated on Firewall.

1. With RADIUS version 1.0 in FW and IETF radius (standard radius attributes)
in CIsco ACS, a telnet <firewall> 259 answers with "RADIUS server does not respond.

2. With RADIUS version 2.0 in FW and IETF radius (standard radius attributes)
in CIsco ACS, a telnet <firewall> 259 answers with "RADIUS server does not respond.

3. With RADIUS version 1.0 in FW and Ascend radius (standard radius attributes)
in CIsco ACS, a telnet <firewall> 259 answers with "RADIUS server does not respond.

4. With RADIUS version 2.0 in FW and Ascend radius (standard radius attributes)
in CIsco ACS, a telnet <firewall> 259 answers with "RADIUS server does not respond.

After this I tried to play around with the radius attributes in CIsco ACS, but
without luck.

I snooped the traffic and saw that FW-1 send 1645 UDP packets of correct lenght (approx
60 bytes) to the Cisco ACS, the Cisco ACS answered ok. THe logs in the Cisco ACS
tells me that the authentication was ok, i.e. CIsco ACS tells me that the users password
is accepted.

What is going on, am I missing something here, does Firewall-1 need some bisarr
RADIUS attribute (which is undocumented, as usual!).

Regards,
Anders Fristedt


-----Original Message-----
From: L-Soft list server at Check Point Software (1.8d)
[mailto:[email protected]]
Sent: den 5 juni 2002 21:34
To: Anders Fristedt
Subject: Command confirmation request (462525CD)


Your command:

               SUBSCRIBE FW-1-MAILINGLIST Anders Fristedt

has  been received.  You must  now reply  to this  message (as  explained
below) to  complete your subscription.  The purpose of  this confirmation
procedure is to  check that the address  LISTSERV is about to  add to the
list for your subscription is reachable.  This is a typical procedure for
high-volume lists and  all new subscribers are subjected to  it - you are
not  being  singled  out.  Every  effort  has  been  made  to  make  this
verification as  simple and painless  as possible. Thanks in  advance for
your cooperation.

To confirm  the execution of your  command, simply point your  browser to
the following URL:

http://lists.us.checkpoint.com/listserv-cgi-bin/wa?OK=462525CD&L=FW-1-MAILINGLIST

Alternatively, if  you have no WWW  access, you can reply  to the present
message and type  "ok" (without the quotes) as the  text of your message.
Just the word "ok" - do not  retype the command. This procedure will work
with any mail  program that fully conforms to the  Internet standards for
electronic  mail. If  you receive  an error  message, try  sending a  new
message  to [email protected]  (without using  the "reply"
function - this is very important) and  type "ok 462525CD" as the text of
your message.

Finally, your  command will be  cancelled automatically if  LISTSERV does
not receive your confirmation within 48h. After that time, you must start
over and resend the command to get a new confirmation code. If you change
your mind and decide that you do  NOT want to confirm the command, simply
discard the present message and let the request expire on its own.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] Outdated Source
Next by Date: [FW-1] AW: [FW-1] AW: [FW-1] SecureClient failed to communicate with Pol icy Server NG
Previous by thread: Re: [FW-1] Outdated Source
Next by thread: [FW-1] MSN and Yahoo messenger
Index(es):
- Date
- Thread