[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] SecureRemote NG + Radius

To: [email protected]
Subject: Re: [FW-1] SecureRemote NG + Radius
From: Devon Harding - GTHLA <[email protected]>
Date: Fri, 25 Oct 2002 11:19:10 -0400
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
Well, I can get this working ONLY if I add the user in CheckPoint.  There, I
can modify the authentication tab of the user and tell it authenticate with
a radius server which I've added in CheckPoint to talk to IAS, which works
fine.

Two problems exist:

1. I want the users to authenticate via radius WITHOUT creating them in
CheckPoint. (My AD contains over 2000 users)

2. When a user does authenticate, I would like him to use an address pool on
the network instead of his real NAT IP address.  (He's behind a NAT router.)

How can this be done?

-Devon

-----Original Message-----
From: libone mhlanga [mailto:[email protected]]
Sent: Friday, October 25, 2002 6:02 AM
To: [email protected]
Subject: Re: [FW-1] SecureRemote NG + Radius

Well there are three of us interested now ...i tried last night and failed
to make FW1/VPN1-NG FP2 talk to an already existing RADIUS server !!
--

On Thu, 24 Oct 2002 23:08:52
 Lars Troen wrote:
>A,
>There have been quite a few such requests lately. I'll see if I can write a
step by step howto on the topic as it's not documented on Phoneboy or
anywhere else that I've found.
>
>But the basics are:
>- With nt4sp4 and later, plus in w2k (any sp) each user must be granted
dial-in rights.
>- clear text (pap) authentication (no ms-chap or similar)
>- It works with both radius 1.0 and 2.0 protocol settings on fw1.
>- Make sure the firewall and the radius server can talk to each other and
that there are no natting taking place on the radius communication.
>- For debugging purposes, tcpdump/network monitor and netcat are useful
tools. Radius is using udp so you can't use telnet to verify the connection.
>- The radius shared secret might be sensitive about some characters, I
don't remember which ones and if it was fw1 or w2k that caused this problem.
>- The IAS log is always a good place to watch carefully.
>
>Lars
>
>> -----Original Message-----
>> From: Andrea Coppini [mailto:[email protected]]
>> Sent: Thursday, October 24, 2002 22:11
>> To: [email protected]
>> Subject: Re: [FW-1] SecureRemote NG + Radius
>>
>>
>> Lars,
>>
>> There are at least 2 of us interested in this information... Care to
>> share any info you might have on how to go about this?
>>
>> Regards
>> A
>>
>>
>> -----Original Message-----
>> From: Lars Troen [mailto:[email protected]]
>> Sent: 24 October 2002 8:30 PM
>> To: [email protected]
>> Subject: Re: [FW-1] SecureRemote NG + Radius
>>
>>
>> Chris,
>> I have used Microsoft Radius (IAS: NT4 / w2k AD) to authenticate users
>> on both 4.0, 4.1 and NGFP2.
>>
>> Lars
>> > -----Original Message-----
>> > From: Barber, Chris [mailto:[email protected]]
>> > Sent: Thursday, October 24, 2002 18:52
>> > To: [email protected]
>> > Subject: Re: [FW-1] SecureRemote NG + Radius
>> >
>> >
>> > If you are using LDAP/Active Directory do a search on Checkpoints
>> > website for "Active Directory" in the list that comes up there will
>> > be a Document
>> > that is titled "How to configure Microsoft's Active Directory
>> > Server to work
>> > with Checkpoint NG FP2"  that will be better than radius.
>> Last time I
>> > checked with CheckPoint they did not support Microsoft
>> > Radius, but that was
>> > on 4.1 fp5, it may now be supported on NG.
>> >
>> > Chris.
>> >
>> > -----Original Message-----
>> > From: Devon Harding - GTHLA [mailto:[email protected]]
>> > Sent: Thursday, October 24, 2002 12:28 PM
>> > To: [email protected]
>> > Subject: [FW-1] SecureRemote NG + Radius
>> >
>> >
>> > How can I get SecureRemote NG to authenticate against a
>> radius (Win2K)
>>
>> > server without creating internal CheckPoint users?  I'd
>> like for it to
>>
>> > look up the users on the Radius server instead of looking for them
>> > in CheckPoint
>> > first.
>> >
>> > -Devon
>> >
>> > =================================================
>> > To set vacation, Out Of Office, or away messages,
>> > send an email to [email protected]
>> > in the BODY of the email add:
>> > set fw-1-mailinglist nomail
>> > =================================================
>> > To unsubscribe from this mailing list,
>> > please see the instructions at
>> > http://www.checkpoint.com/services/mailing.html
>> > =================================================
>> > If you have any questions on how to change your
>> > subscription options, email
>> > [email protected]
>> > =================================================
>> >
>> > =================================================
>> > To set vacation, Out Of Office, or away messages,
>> > send an email to [email protected]
>> > in the BODY of the email add:
>> > set fw-1-mailinglist nomail
>> > =================================================
>> > To unsubscribe from this mailing list,
>> > please see the instructions at
>> > http://www.checkpoint.com/services/mailing.html
>> > =================================================
>> > If you have any questions on how to change your
>> > subscription options, email
>> > [email protected]
>> > =================================================
>> >
>>
>> =================================================
>> To set vacation, Out Of Office, or away messages,
>> send an email to [email protected]
>> in the BODY of the email add:
>> set fw-1-mailinglist nomail
>> =================================================
>> To unsubscribe from this mailing list,
>> please see the instructions at
>> http://www.checkpoint.com/services/mailing.html
>> =================================================
>> If you have any questions on how to change your
>> subscription options, email
>> [email protected]
>> =================================================
>>
>> Andrea Coppini
>> +356 79 ANDREA (263732)
>> [email protected]
>>
>> EMPOWER PEOPLE - THE WORLD IN YOUR HAND
>>
>> iWG (iWORLD GROUP) is a global e-mobile company creating,
>> building and growing new businesses.  iWG founders are
>> pioneers in creating multi-billion dollar mobile and Internet
>> businesses in Europe, Asia and the US.
>>
>> The Global Partners include the shareholders Bank of America,
>> Deutsche Bank, Hikari Tsushin, McCaw, PaineWebber/UBS, The
>> Dolphins' Trust, Perikles Trust and the iAA Advisory Network.
>>
>> www.iWG.info
>>
>> www.countryprofiler.com/iWG
>>
>> Privileged/Confidential Information may be contained in this
>> message.  If you are not the addressee indicated in this
>> message (or responsible for delivery of the message to such
>> person), you may not copy or deliver this message to anyone.
>> In such case, you should destroy this message and kindly
>> notify the sender by reply email.
>>
>> =================================================
>> To set vacation, Out Of Office, or away messages,
>> send an email to [email protected]
>> in the BODY of the email add:
>> set fw-1-mailinglist nomail
>> =================================================
>> To unsubscribe from this mailing list,
>> please see the instructions at
>> http://www.checkpoint.com/services/mailing.html
>> =================================================
>> If you have any questions on how to change your
>> subscription options, email
>> [email protected]
>> =================================================
>>
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>


____________________________________________________________
Get 250 full-color business cards FREE right now!
http://businesscards.lycos.com

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
Prev by Date: Re: [FW-1] DMZ setup
Next by Date: Re: [FW-1] Securemote IKE
Prev by thread: Re: [FW-1] SecureRemote NG + Radius
Next by thread: Re: [FW-1] SecureRemote NG + Radius
Index(es):
- Date
- Thread