Chaps,
IF you go for the subnetting option suggested by Jack you can setup mac port
security on Ciscos so the users cannot move ports by moving the utp cable
and shutdown all unused ports. If you want to IOS command syntax I will
email to whoever.
Cheers Gary
-----Original Message-----
From: Jack Coates [mailto:[EMAIL PROTECTED]]
Sent: 30 June 2000 15:50
To: Ivan Fox
Cc: Firewall-1
Subject: Re: [FW1] groups
Define 'easy' :-)
To do user-based authentication you need a user-authentication mechanism,
such as FW-1 accts (yuck) or a gateway to the NOS's acct db (think
RADIUS).
Alternatively you could do network based authentication by subnetting your
1000 users - check out www.monkeynoodle.org/lrp.html if you don't want to
buy another Cisco to do it with. The problem with this approach is that a
user from network A can theoretically plug into network B and get network
B's access rights, but that may not be a realistic problem (depending on
your floor layout, wiring, job descriptions, laptop v. desktop, &c).
HTH
Jack Coates, Rainfinity SE
t: 650-962-5301 m: 650-280-4376
On Fri, 30 Jun 2000, Ivan Fox wrote:
>
> Let's say, I have 1000 internal users, only 500 of them need to pass
through
> a firewall to access a ftp server in the DMZ. These 1000 users using one
> big subnet. Meaning that I cannot limit the access by "network". I don't
> want to create 500 users account on the firewall to avoid
> administration/performance overhead.
>
> Is there an easy way to handle this scenario?
>
> Any pointers are much appreciated.
>
> Regards,
>
> Ivan
>
>
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
*******************************************************************************************************
Any opinions expressed in the email are those of the individual and not necessarily the
City Of Salford. This email and any files transmitted with it are confidential and
solely for the use of the intended recipient.
It may contain material protected by solicitor-client privilege. If you are not the
intended recipient or the person responsible for delivering to the intended recipient,
be advised that you have received this email in error and that any use is strictly
prohibited. If you have received this email in error please notify the IT manager by
telephone on +44 (0) 1617933906.
********************************************************************************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
