[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecuRemote + ActivPack AAA



Title: Message
Hellow again Dieter,
 
I've been doing some checks on the OPSEC site and ActivPack works like the RADIUS Servers, so this is all a diferent situation, but i'll try to explain.
 
Since ActivPack works like a RADIUS Server here is what you need to do.
 
You need to create a:
1. Host type object with ActivPack IP (ex.: activpack_srv)
2. Add a RADIUS Server and set activpack_srv to be your radius server.
 
This is for you to be able to use ActivPack.
 
Next you'll need to use Hybrid-mode authentication so that your users passwords are checked with ActivPack passwords.
Set this mode in the Firewall object and be sure to have RADIUS checked on your Firewall object in the Authentication Tab.
 
Now the users:
 
To ease the procedure with all the users you should create a template with the following features:
1. Authentication tab -  Select RADIUS and after that, add the ActivPack Radius Server object you created before.
2. Select IKE encryption method and set wich method you want to use in the VPN (ex.:SHA1+3DES), do not check password in the Authentication tab of IKE properties, and i think you should first try to remove Public Key check also.
3. Create a user, using this template, and the only think you need is to match the username with a userID of the ActivPack UserDB
 
Now in the rulebase it's the standard.
 
Go on try it, i'm pretty sure it will work.
 
With LDAP Servers it's all diferent and, i think this is not your case.
 
But again if i'm wrong please reply i'll be glad to help you once more.
 
Best regards,
 
Carlos Santos
-----Original Message-----
From: Dieter Schutte [mailto:[email protected]]
Sent: quinta-feira, 21 de Novembro de 2002 6:13
To: [email protected]
Cc: [email protected]
Subject: FW: [FW-1] SecuRemote + ActivPack AAA

Hi Carlos,
 
Thank you for the reply. I would like to comment on a few suggestion you made..
 

 

 

I sorry if I'm getting this wrong and I don't know much about ActivPack

but seems to me that you are choosing the wrong authentication method on

the ActivPack DB it self.

We are using LDAP and the DB / repository and we can't change the auth method from dynamic password to static as this defeat's the object our   exercise.

 

If you plan to use the Internal Passwords of ActivPack, maybe you should

think about using hybrid-mode rather then pre-shared secret passwords.

This is not an option that we can configure in Pack it's self but more something that needs to be done on the FW.

 

If you plan to use pre-shared secret, ActivPack should have another

password field (just guessing but it should be called "pre-shared

secret") on the users encryption settings.

Again, this is not something that can be configured from a Pack point of view but rather should be done on the FW (this is how we did it with FP �)

 

I've worked with LDAP servers and a FW-1 schema must be added to the

LDAP schema for these new fields to be available (at least with Iplanet

LDAP, this is how it works)

 Will you please be so kind to send me information on how to do create the FW-1 schema in LDAP...  

 

Don't forget that if using an external user database that database must

hold the encryption settings for each user.

 how do I do this?

 

As I've said I don't really know ActivPack so I'm not able to give you a

clean help on this I'm just telling you that surely that DB must hold

all this info if told you.

 The database (LDAP) is capable of holding all the info required, it's just how we configure it in conjunction with Pack & FW that I need assistance on.

 

 
Any help would be appreciated.

 

 

Regards,

Dieter

 

______________________________________________

"This information is intended only for the person or entity to which it is addressed and
may contain private, confidential, proprietary and/or privileged material and may be subject
to confidentiality agreements.

Any review, retransmission, dissemination, or any other use of or taking of any action in
reliance upon this information, by persons or entities other than the intended recipient,
is prohibited.

If you received this in error, please contact the sender and delete the material from all
storage media.

The company is neither liable for proper, complete transmission of the information contained
in this communication, any delay in its receipt or that the mail is virus-free"

 

INTERNET MAIL FOOTER

A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto.

Privileged or Confidential Information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email.