[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] SecureRemote NG + Radius
- To: [email protected]
- Subject: Re: [FW-1] SecureRemote NG + Radius
- From: Lars Troen <[email protected]>
- Date: Thu, 24 Oct 2002 23:08:52 +0200
- Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-Index: AcJ7gcWk3qSt6RcfTdOY6mVbSA1HbQACUSQwAAOKRAAAAZ/tMA==
- Thread-Topic: Re: [FW-1] SecureRemote NG + Radius
A,
There have been quite a few such requests lately. I'll see if I can write a step by step howto on the topic as it's not documented on Phoneboy or anywhere else that I've found.
But the basics are:
- With nt4sp4 and later, plus in w2k (any sp) each user must be granted dial-in rights.
- clear text (pap) authentication (no ms-chap or similar)
- It works with both radius 1.0 and 2.0 protocol settings on fw1.
- Make sure the firewall and the radius server can talk to each other and that there are no natting taking place on the radius communication.
- For debugging purposes, tcpdump/network monitor and netcat are useful tools. Radius is using udp so you can't use telnet to verify the connection.
- The radius shared secret might be sensitive about some characters, I don't remember which ones and if it was fw1 or w2k that caused this problem.
- The IAS log is always a good place to watch carefully.
Lars
> -----Original Message-----
> From: Andrea Coppini [mailto:[email protected]]
> Sent: Thursday, October 24, 2002 22:11
> To: [email protected]
> Subject: Re: [FW-1] SecureRemote NG + Radius
>
>
> Lars,
>
> There are at least 2 of us interested in this information... Care to
> share any info you might have on how to go about this?
>
> Regards
> A
>
>
> -----Original Message-----
> From: Lars Troen [mailto:[email protected]]
> Sent: 24 October 2002 8:30 PM
> To: [email protected]
> Subject: Re: [FW-1] SecureRemote NG + Radius
>
>
> Chris,
> I have used Microsoft Radius (IAS: NT4 / w2k AD) to authenticate users
> on both 4.0, 4.1 and NGFP2.
>
> Lars
> > -----Original Message-----
> > From: Barber, Chris [mailto:[email protected]]
> > Sent: Thursday, October 24, 2002 18:52
> > To: [email protected]
> > Subject: Re: [FW-1] SecureRemote NG + Radius
> >
> >
> > If you are using LDAP/Active Directory do a search on Checkpoints
> > website for "Active Directory" in the list that comes up there will
> > be a Document
> > that is titled "How to configure Microsoft's Active Directory
> > Server to work
> > with Checkpoint NG FP2" that will be better than radius.
> Last time I
> > checked with CheckPoint they did not support Microsoft
> > Radius, but that was
> > on 4.1 fp5, it may now be supported on NG.
> >
> > Chris.
> >
> > -----Original Message-----
> > From: Devon Harding - GTHLA [mailto:[email protected]]
> > Sent: Thursday, October 24, 2002 12:28 PM
> > To: [email protected]
> > Subject: [FW-1] SecureRemote NG + Radius
> >
> >
> > How can I get SecureRemote NG to authenticate against a
> radius (Win2K)
>
> > server without creating internal CheckPoint users? I'd
> like for it to
>
> > look up the users on the Radius server instead of looking for them
> > in CheckPoint
> > first.
> >
> > -Devon
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> Andrea Coppini
> +356 79 ANDREA (263732)
> [email protected]
>
> EMPOWER PEOPLE - THE WORLD IN YOUR HAND
>
> iWG (iWORLD GROUP) is a global e-mobile company creating,
> building and growing new businesses. iWG founders are
> pioneers in creating multi-billion dollar mobile and Internet
> businesses in Europe, Asia and the US.
>
> The Global Partners include the shareholders Bank of America,
> Deutsche Bank, Hikari Tsushin, McCaw, PaineWebber/UBS, The
> Dolphins' Trust, Perikles Trust and the iAA Advisory Network.
>
> www.iWG.info
>
> www.countryprofiler.com/iWG
>
> Privileged/Confidential Information may be contained in this
> message. If you are not the addressee indicated in this
> message (or responsible for delivery of the message to such
> person), you may not copy or deliver this message to anyone.
> In such case, you should destroy this message and kindly
> notify the sender by reply email.
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================