[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] [ FW-1] Checkpoint NG, and Cisco Secure ACS
Hi, I try to enable radius authentication from Checkpoint NG FP1 (solaris) to Cisco ACS (NT) 2.4(1) (- about to be updated). Radius server is correctly set up in FW-1 (workstation object, radius server, shared secret, use of RADIUS standard port 1645 UDP). RADIUS server is directly connected to one of FW interfaces. Previously Cisco ACS has been running TACACS+, but as problems has arised with Cryptocard and TACACS (and Checkpoint tells us that Cryptocard has not been OPSEC licensed with TACACS+, but only RADIUS!!!), we want to change to RADIUS. I've created a standard user, both in FW-1 DB and in CIsco ACS DB, with static password. Of course the user in FW-1 has been definied with RADIUS authentication. Radius authentication has been activated on Firewall. 1. With RADIUS version 1.0 in FW and IETF radius (standard radius attributes) in CIsco ACS, a telnet <firewall> 259 answers with "RADIUS server does not respond. 2. With RADIUS version 2.0 in FW and IETF radius (standard radius attributes) in CIsco ACS, a telnet <firewall> 259 answers with "RADIUS server does not respond. 3. With RADIUS version 1.0 in FW and Ascend radius (standard radius attributes) in CIsco ACS, a telnet <firewall> 259 answers with "RADIUS server does not respond. 4. With RADIUS version 2.0 in FW and Ascend radius (standard radius attributes) in CIsco ACS, a telnet <firewall> 259 answers with "RADIUS server does not respond. After this I tried to play around with the radius attributes in CIsco ACS, but without luck. I snooped the traffic and saw that FW-1 send 1645 UDP packets of correct lenght (approx 60 bytes) to the Cisco ACS, the Cisco ACS answered ok. THe logs in the Cisco ACS tells me that the authentication was ok, i.e. CIsco ACS tells me that the users password is accepted. What is going on, am I missing something here, does Firewall-1 need some bisarr RADIUS attribute (which is undocumented, as usual!). Regards, Anders Fristedt -----Original Message----- From: L-Soft list server at Check Point Software (1.8d) [mailto:[email protected]] Sent: den 5 juni 2002 21:34 To: Anders Fristedt Subject: Command confirmation request (462525CD) Your command: SUBSCRIBE FW-1-MAILINGLIST Anders Fristedt has been received. You must now reply to this message (as explained below) to complete your subscription. The purpose of this confirmation procedure is to check that the address LISTSERV is about to add to the list for your subscription is reachable. This is a typical procedure for high-volume lists and all new subscribers are subjected to it - you are not being singled out. Every effort has been made to make this verification as simple and painless as possible. Thanks in advance for your cooperation. To confirm the execution of your command, simply point your browser to the following URL: http://lists.us.checkpoint.com/listserv-cgi-bin/wa?OK=462525CD&L=FW-1-MAILINGLIST Alternatively, if you have no WWW access, you can reply to the present message and type "ok" (without the quotes) as the text of your message. Just the word "ok" - do not retype the command. This procedure will work with any mail program that fully conforms to the Internet standards for electronic mail. If you receive an error message, try sending a new message to [email protected] (without using the "reply" function - this is very important) and type "ok 462525CD" as the text of your message. Finally, your command will be cancelled automatically if LISTSERV does not receive your confirmation within 48h. After that time, you must start over and resend the command to get a new confirmation code. If you change your mind and decide that you do NOT want to confirm the command, simply discard the present message and let the request expire on its own. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|