[FW-1] Encrypted Radius requests from distributed FW's to centralized radius server

["Kalat, Andrew (ISS Atlanta)" <akalat@FW1-NOSPAMISS.NET>]

Hello,
     Not to be a bother, but unfortunately I didn't hear anything on
this, so I am resending.

I'm hoping someone has had experience with this situation. It would seem
fairly common. Firewalls are Checkpoint NG, FP3, running on Solaris.
Radius is Steel Belted running on Windows.

Give 3 firewalls, A, B, and C. They are distributed around the internet,
connecting various networks over a VPN.

Radius server (raz) is authenticating remote users to all three
firewalls. This radius server (raz) resides behind firewall A.
Authentication requests from A,B, and C all travel to raz.

Here's the rub.  The outbound radius request from B and C happen before
any VPN rules, and as such, they are traversing the net unencrypted.
This is not a problem for A, since RAZ is on a DMZ behind A. So, does
anyone know how to get B and C to use their established VPN's to A to
tunnel this authentication traffic?

Much appreciated to anyone who can provide insight or pointers. Take
care.




---------------------------------------------------------
Andrew J. Kalat,                | Direct:MSS Senior Security Engineer    | Main:Internet Security Systems, Inc. | E-Mail: akalat@iss.net
6303 Barfield Road                | <http://www.iss.net/>
Atlanta, GA 30328                         | PGP key available.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================