Well, I can get this working ONLY if I add the user in CheckPoint. There, I can modify the authentication tab of the user and tell it authenticate with a radius server which I've added in CheckPoint to talk to IAS, which works fine.
Two problems exist: 1. I want the users to authenticate via radius WITHOUT creating them in CheckPoint. (My AD contains over 2000 users) 2. When a user does authenticate, I would like him to use an address pool on the network instead of his real NAT IP address. (He's behind a NAT router.) How can this be done? -Devon -----Original Message----- From: libone mhlanga [mailto:libone@;LYCOS.COM] Sent: Friday, October 25, 2002 6:02 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] SecureRemote NG + Radius Well there are three of us interested now ...i tried last night and failed to make FW1/VPN1-NG FP2 talk to an already existing RADIUS server !! -- On Thu, 24 Oct 2002 23:08:52 Lars Troen wrote: >A, >There have been quite a few such requests lately. I'll see if I can write a step by step howto on the topic as it's not documented on Phoneboy or anywhere else that I've found. > >But the basics are: >- With nt4sp4 and later, plus in w2k (any sp) each user must be granted dial-in rights. >- clear text (pap) authentication (no ms-chap or similar) >- It works with both radius 1.0 and 2.0 protocol settings on fw1. >- Make sure the firewall and the radius server can talk to each other and that there are no natting taking place on the radius communication. >- For debugging purposes, tcpdump/network monitor and netcat are useful tools. Radius is using udp so you can't use telnet to verify the connection. >- The radius shared secret might be sensitive about some characters, I don't remember which ones and if it was fw1 or w2k that caused this problem. >- The IAS log is always a good place to watch carefully. > >Lars > >> -----Original Message----- >> From: Andrea Coppini [mailto:andreacoppini@;IWG.INFO] >> Sent: Thursday, October 24, 2002 22:11 >> To: [EMAIL PROTECTED] >> Subject: Re: [FW-1] SecureRemote NG + Radius >> >> >> Lars, >> >> There are at least 2 of us interested in this information... Care to >> share any info you might have on how to go about this? >> >> Regards >> A >> >> >> -----Original Message----- >> From: Lars Troen [mailto:Lars.Troen@;PROXYCOM.NO] >> Sent: 24 October 2002 8:30 PM >> To: [EMAIL PROTECTED] >> Subject: Re: [FW-1] SecureRemote NG + Radius >> >> >> Chris, >> I have used Microsoft Radius (IAS: NT4 / w2k AD) to authenticate users >> on both 4.0, 4.1 and NGFP2. >> >> Lars >> > -----Original Message----- >> > From: Barber, Chris [mailto:cbarber@;CRITICALIP.COM] >> > Sent: Thursday, October 24, 2002 18:52 >> > To: [EMAIL PROTECTED] >> > Subject: Re: [FW-1] SecureRemote NG + Radius >> > >> > >> > If you are using LDAP/Active Directory do a search on Checkpoints >> > website for "Active Directory" in the list that comes up there will >> > be a Document >> > that is titled "How to configure Microsoft's Active Directory >> > Server to work >> > with Checkpoint NG FP2" that will be better than radius. >> Last time I >> > checked with CheckPoint they did not support Microsoft >> > Radius, but that was >> > on 4.1 fp5, it may now be supported on NG. >> > >> > Chris. >> > >> > -----Original Message----- >> > From: Devon Harding - GTHLA [mailto:DHarding@;GILATLA.COM] >> > Sent: Thursday, October 24, 2002 12:28 PM >> > To: [EMAIL PROTECTED] >> > Subject: [FW-1] SecureRemote NG + Radius >> > >> > >> > How can I get SecureRemote NG to authenticate against a >> radius (Win2K) >> >> > server without creating internal CheckPoint users? I'd >> like for it to >> >> > look up the users on the Radius server instead of looking for them >> > in CheckPoint >> > first. >> > >> > -Devon >> > >> > ================================================= >> > To set vacation, Out Of Office, or away messages, >> > send an email to [EMAIL PROTECTED] >> > in the BODY of the email add: >> > set fw-1-mailinglist nomail >> > ================================================= >> > To unsubscribe from this mailing list, >> > please see the instructions at >> > http://www.checkpoint.com/services/mailing.html >> > ================================================= >> > If you have any questions on how to change your >> > subscription options, email >> > [EMAIL PROTECTED] >> > ================================================= >> > >> > ================================================= >> > To set vacation, Out Of Office, or away messages, >> > send an email to [EMAIL PROTECTED] >> > in the BODY of the email add: >> > set fw-1-mailinglist nomail >> > ================================================= >> > To unsubscribe from this mailing list, >> > please see the instructions at >> > http://www.checkpoint.com/services/mailing.html >> > ================================================= >> > If you have any questions on how to change your >> > subscription options, email >> > [EMAIL PROTECTED] >> > ================================================= >> > >> >> ================================================= >> To set vacation, Out Of Office, or away messages, >> send an email to [EMAIL PROTECTED] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [EMAIL PROTECTED] >> ================================================= >> >> Andrea Coppini >> +356 79 ANDREA (263732) >> [EMAIL PROTECTED] >> >> EMPOWER PEOPLE - THE WORLD IN YOUR HAND >> >> iWG (iWORLD GROUP) is a global e-mobile company creating, >> building and growing new businesses. iWG founders are >> pioneers in creating multi-billion dollar mobile and Internet >> businesses in Europe, Asia and the US. >> >> The Global Partners include the shareholders Bank of America, >> Deutsche Bank, Hikari Tsushin, McCaw, PaineWebber/UBS, The >> Dolphins' Trust, Perikles Trust and the iAA Advisory Network. >> >> www.iWG.info >> >> www.countryprofiler.com/iWG >> >> Privileged/Confidential Information may be contained in this >> message. If you are not the addressee indicated in this >> message (or responsible for delivery of the message to such >> person), you may not copy or deliver this message to anyone. >> In such case, you should destroy this message and kindly >> notify the sender by reply email. >> >> ================================================= >> To set vacation, Out Of Office, or away messages, >> send an email to [EMAIL PROTECTED] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [EMAIL PROTECTED] >> ================================================= >> > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= > ____________________________________________________________ Get 250 full-color business cards FREE right now! http://businesscards.lycos.com ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
