[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] ActivPack Radius Profiles + ACM

To: [email protected]
Subject: Re: [FW-1] ActivPack Radius Profiles + ACM
From: Dieter Schutte <[email protected]>
Date: Tue, 10 Dec 2002 15:43:16 +0200
Comments: To: Sopor <[email protected]>
Comments: cc: "Stuart Harrison (E-mail)" <[email protected]>
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
Thread-Index: AcKgTXNnE/wXJSYPRMSQNjR4aB6PtAAAcYlw
Thread-Topic: [FW-1] ActivPack Radius Profiles + ACM

Hi Sopor,

Thanks for the reply. The whole idea behind this is to have one centrally managed user database (LDAP).
If we opt for the second option (Auth Firewall ---> LDAP Server ---> Radius),  where in LDAP do we
define this profile? I would assume that you use the "schema.ldif" file to extend the iPlanet  schema, but once this is
done, how do I configure the actual user profile?

Regards,
Dieter

-----Original Message-----
From: Sopor [mailto:[email protected]]
Sent: 10 December 2002 03:04
To: Dieter Schutte
Subject: RE: [FW-1] ActivPack Radius Profiles + ACM

Hello Diater,

Ok, now i think i can see your point.

Unfortunately by using Radius authentication, and getting the users
profile, as far as i know, is not possible.

Here is how things go:

By using Radius you will still have to create the user profile inside the
internal userdatabase of Firewall-1 so the profile will be matched
internally rather then against radius or even to a second match to an LDAP
Server.

The only thing Firewall-1 will do is to match it's internal username
against your external username and password.

In the Radius (ActivPack), the password will be matched internally if
the username also exists in the LDAP (i think this is how it goes).

And that is all.

I would say, in this case you are forced to define (like a duplicate from
the LDAP) your user profile on the Firewall-1 user database

AMC is not required for that.

On the other hadn you can have it all if you choose to use the second
option i gave you and it's not that hard to work out too.

Auth Firewall ---> LDAP Server --- that matchs with ---> Radius

This way you will force the Firewall-1 to match against an external
userdatabase(LDAP) wich holds all the users profile info like, encryption,
group, source ip, dst ip, time ranges, all Firewall-1 needs.

For this you will need only AMC because LDAP's Managemens console is not
that simple to configure all this info.

Another thing you will need if you have a Microsoft Active Directory or
IPlanet Directory Server is to upgrade your ldap schema that is available
in $FWDIR/lib/ldap/ folder

After you do that you just have to create an LDAP Server and an
external_group.

I beleave this would be the proper solution since you can set the LDAP to
match username's password against a Radius Server (ActivPack) and then you
would have centrally managed userprofiles with dynamic passwords.

The full process is a bit complicated but i beleave i've seen an e-mail
sent to you by the Mailing list explaning how it's done, but if you have
more questions just ask.

Have fun,

S

On Tue, 10 Dec 2002, Dieter Schutte wrote:

> Hi Sopor,
>
> I want to authenticate SecuRemote connections to my AAA server (using ActivPack dynamic passwords), which in turn queries the
> LDAP as my user database.       (Auth Firewall ---> Radius Server  ---> LDAP).
>
> My problem however is the following:  In the firewall I defined a "generic*" user to authenticate all users that are not defined
> in the FW-1 user database against the Radius server, but since this a generic user, I cannot restrict certain users with firewall
> rules, i.e. one user ("generic*") rule applies to all my users who access my network remotely. I know that you can define Radius
> authorization profiles to restrict user access to certain IP's and protocols only.   Can the AMC on the FW fetch this authorization profile
> from the Directory and enforce the specified authorization restrictions?
>
> kind Regards,
> Dieter
>
>
>
>
______________________________________________

"This information is intended only for the person or entity to which it is addressed and
may contain private, confidential, proprietary and/or privileged material and may be subject
to confidentiality agreements.

Any review, retransmission, dissemination, or any other use of or taking of any action in
reliance upon this information, by persons or entities other than the intended recipient,
is prohibited.

If you received this in error, please contact the sender and delete the material from all
storage media.

The company is neither liable for proper, complete transmission of the information contained
in this communication, any delay in its receipt or that the mail is virus-free"

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] ActivPack Radius Profiles + ACM
  - From: FireWall-1 Mailing List <[email protected]>

Prev by Date: Re: [FW-1] FP3/Win2k Crash problem
Next by Date: Re: [FW-1] VPN between Firewall 1 4.1 and Firewall 1 NG
Prev by thread: Re: [FW-1] ActivPack Radius Profiles + ACM
Next by thread: Re: [FW-1] ActivPack Radius Profiles + ACM
Index(es):
- Date
- Thread