NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] SecurID and FP3 addendum



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I had something to add to the profiles section of my document:

Profiles
This is for authenticating to SecurID through RADIUS. A particularly
useful aspect of this feature is the ability to have user groups on the
firewall and RADIUS server and never having to add user accounts. This is
accomplished by creating groups on FW-1 prefaced by "RAD_", e.g.
RAD_support.

Another critical tip here: IF you did not import the RADIUS files during
installation,  you will have to do it now. The syntax to do this is:

loadraddb "xyzzy" [dictionary] [mapfile]

command = loadraddb
password = hardcoded "xyzzy" (yes... really, this is the password.)
dictionary = dictionary file (data/dictionary)
securidmap = data/securidmap

Next you need to create profiles and assign them to users. This is how the
ACE server will pass an attribute (like "Class") back to the firewall to
let it know that the user "Bob" that attempted to authenticate via
"generic*" belongs to the Support group, and should be allowed for the
Support rules in the policy. Go to Profiles  and click Add (when you do
this, a SecurID group is also created). Then assign it to a user. If your
group structure is simple, this will not be hard, but if it's complex,
i.e. many groups, you may end up creating a profile for each user and
assigning it.



-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Made with pgp4pine 1.75-6

iQA/AwUBPnC051UqWOkDpMZ2EQK3CgCfSJRWDS16A0flGPUT4/LruBiqL2wAoJA+
pq2pXD7zxyMmhwZLPr47whfz
=f0GV
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.