[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Encrypted Radius requests from distributed FW's to centralized radius server
That's doable but with some cost. You need to disable "Allow Firewall-1 Control Connections" option from the global properties. That is because this allows the FW itself to send out Radius request first. You can see this by looking at the implied rules. So, turn this off and configure the policy to enable control connections manually. Configure the VPN to include the connections from the FW itself. This should work as it worked for me. Another option you might consider, which I didn't try, is to configure your Radius server and the firewall to use non standard Radius port so that we can avoid getting filtered by the implied rule. HTH, Sun Infonet Services "Kalat, Andrew (ISS Atlanta)" <[email protected]> To: [email protected] Sent by: Mailing list for cc: discussion of Firewall-1 Subject: [FW-1] Encrypted Radius requests from distributed FW's to <[email protected] centralized radius server kpoint.com> 02/28/2003 07:58 AM Please respond to Mailing list for discussion of Firewall-1 Hello, Not to be a bother, but unfortunately I didn't hear anything on this, so I am resending. I'm hoping someone has had experience with this situation. It would seem fairly common. Firewalls are Checkpoint NG, FP3, running on Solaris. Radius is Steel Belted running on Windows. Give 3 firewalls, A, B, and C. They are distributed around the internet, connecting various networks over a VPN. Radius server (raz) is authenticating remote users to all three firewalls. This radius server (raz) resides behind firewall A. Authentication requests from A,B, and C all travel to raz. Here's the rub. The outbound radius request from B and C happen before any VPN rules, and as such, they are traversing the net unencrypted. This is not a problem for A, since RAZ is on a DMZ behind A. So, does anyone know how to get B and C to use their established VPN's to A to tunnel this authentication traffic? Much appreciated to anyone who can provide insight or pointers. Take care. --------------------------------------------------------- Andrew J. Kalat, | Direct:MSS Senior Security Engineer | Main:Internet Security Systems, Inc. | E-Mail: [email protected] 6303 Barfield Road | <http://www.iss.net/> Atlanta, GA 30328 | PGP key available. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|