[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] ActivPack Radius Profiles + ACM

Hi,

You need to manage the LDAP server from FireWall-1 which will then
enable you to set CheckPoint settings. If you have imported the scheme
it is possible to set the settings via the iPlanet management.

Neal

Dieter Schutte wrote:

>Hi Sopor,
>
>Thanks for the reply. The whole idea behind this is to have one centrally managed user database (LDAP).
>If we opt for the second option (Auth Firewall ---> LDAP Server ---> Radius),  where in LDAP do we
>define this profile? I would assume that you use the "schema.ldif" file to extend the iPlanet  schema, but once this is
>done, how do I configure the actual user profile?
>
>Regards,
>Dieter
>
>
>
>
>
>-----Original Message-----
>From: Sopor [mailto:[email protected]]
>Sent: 10 December 2002 03:04
>To: Dieter Schutte
>Subject: RE: [FW-1] ActivPack Radius Profiles + ACM
>
>
>Hello Diater,
>
>Ok, now i think i can see your point.
>
>Unfortunately by using Radius authentication, and getting the users
>profile, as far as i know, is not possible.
>
>Here is how things go:
>
>By using Radius you will still have to create the user profile inside the
>internal userdatabase of Firewall-1 so the profile will be matched
>internally rather then against radius or even to a second match to an LDAP
>Server.
>
>The only thing Firewall-1 will do is to match it's internal username
>against your external username and password.
>
>In the Radius (ActivPack), the password will be matched internally if
>the username also exists in the LDAP (i think this is how it goes).
>
>And that is all.
>
>I would say, in this case you are forced to define (like a duplicate from
>the LDAP) your user profile on the Firewall-1 user database
>
>AMC is not required for that.
>
>On the other hadn you can have it all if you choose to use the second
>option i gave you and it's not that hard to work out too.
>
>Auth Firewall ---> LDAP Server --- that matchs with ---> Radius
>
>This way you will force the Firewall-1 to match against an external
>userdatabase(LDAP) wich holds all the users profile info like, encryption,
>group, source ip, dst ip, time ranges, all Firewall-1 needs.
>
>For this you will need only AMC because LDAP's Managemens console is not
>that simple to configure all this info.
>
>Another thing you will need if you have a Microsoft Active Directory or
>IPlanet Directory Server is to upgrade your ldap schema that is available
>in $FWDIR/lib/ldap/ folder
>
>After you do that you just have to create an LDAP Server and an
>external_group.
>
>I beleave this would be the proper solution since you can set the LDAP to
>match username's password against a Radius Server (ActivPack) and then you
>would have centrally managed userprofiles with dynamic passwords.
>
>The full process is a bit complicated but i beleave i've seen an e-mail
>sent to you by the Mailing list explaning how it's done, but if you have
>more questions just ask.
>
>Have fun,
>
>S
>
>On Tue, 10 Dec 2002, Dieter Schutte wrote:
>
>>Hi Sopor,
>>
>>I want to authenticate SecuRemote connections to my AAA server (using ActivPack dynamic passwords), which in turn queries the
>>LDAP as my user database.       (Auth Firewall ---> Radius Server  ---> LDAP).
>>
>>My problem however is the following:  In the firewall I defined a "generic*" user to authenticate all users that are not defined
>>in the FW-1 user database against the Radius server, but since this a generic user, I cannot restrict certain users with firewall
>>rules, i.e. one user ("generic*") rule applies to all my users who access my network remotely. I know that you can define Radius
>>authorization profiles to restrict user access to certain IP's and protocols only.   Can the AMC on the FW fetch this authorization profile
>>from the Directory and enforce the specified authorization restrictions?
>>
>>kind Regards,
>>Dieter
>>
>>
>>
>>
>______________________________________________
>
>"This information is intended only for the person or entity to which it is addressed and
>may contain private, confidential, proprietary and/or privileged material and may be subject
>to confidentiality agreements.
>
>Any review, retransmission, dissemination, or any other use of or taking of any action in
>reliance upon this information, by persons or entities other than the intended recipient,
>is prohibited.
>
>If you received this in error, please contact the sender and delete the material from all
>storage media.
>
>The company is neither liable for proper, complete transmission of the information contained
>in this communication, any delay in its receipt or that the mail is virus-free"
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================