[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] S/Key's

To: [email protected]
Subject: [FW-1] S/Key's
From: Markus Hofbauer <[email protected]>
Date: Tue, 25 Jun 2002 08:55:26 +0200
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi all,

Yesterday I ran into the following situation:

Upgrading a Stonebeat HA Cluster 3.1.4 with Checkpoint FW-1 4.1 Sp3
to Stonebeat 3.1.6 FW-1 NG SP2 (also splitted up the standalone
installation on the secondary node to a seperate management station).
Hotfixes for SB and CKP are applied.

The customer used S/Keys for some users to authenticate. After
upgrading I generated a new list of keys for a user. I got the
keys and installed the whole policy (including the user-database).

First try:
        Gateway does not support skey
Ok, this problem was easily solved.

Second try:
        user is not recognized by skey system

(both messages appear on the client site)

Phoneboy-solution http://www.phoneboy.com/faq/0225.html doesn't
help. I tried to create a new user with skey-authentication...
no success.

Found no hint in the CKP-Knowledgebase.

After some troubleshooting I found out, that the file fwuserauth.keys
in $FWDIR/database is empty. On the management station and on the
primary node...

Ok, so this is the reason why the "user is not recognized by the
skey system"... but why?

I've seen this also on a Cluster-XL installation (migrating from
a standalone installation to C-XL; separate mgmt-station).
((The problem disappeared because all the users switched to the
newly installed SecurID authentication.))


Thanks for any hint,
ho

-------------------------------------------------------------------
Markus Hofbauer                                          IT-Service
phone : +43 (1) 60 126-34                       Internet & Security
fax : +43 (1) 60 126-4                      Bacher Systems EDV GmbH
mail: [email protected]                               Wienerbergstr. 11B
www : http://www.bacher.at/            A-1101 Wien, Austria, Europe

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] VPN Pool NAT
Next by Date: [FW-1] SecureClient Question
Prev by thread: Re: [FW-1] How to stop email Spammers from spoofing email address anddomainname.
Next by thread: Re: [FW-1] S/Key's
Index(es):
- Date
- Thread