RE: [FW1] User auth question

Thu, 22 Feb 2001 14:03:48 -0800 


That's the strange part, I do have two separate groups (in this example
AllUsers and LimitedUsers). For whatever reason, the generic* user is
being matched on all auth requests. Removing generic* and adding
individual accounts to the firewall resolved the problem. 

According to the docs, if the username appears in the fw-1 user list, it
overrides generic*. I'm doing something wrong, be damned if I know what
it is... yet. ;-)

--- Gavin

 -----Original Message-----
From:   Dean Cunningham [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, February 22, 2001 18:02
To:     Adams, Gavin; '[EMAIL PROTECTED]'
Subject:        RE: [FW1] User auth question

some some quick thoughts

You need to have another group with the non x-limited users in it. You
could
use LDAP off another and internal ldap server to achieve this rather
than
type all in.

 Also have a read on the negate option when adding a group to the rule

-----Original Message-----
From: Adams, Gavin [mailto:[EMAIL PROTECTED]]
Sent: Friday, 23 February 2001 7:44 AM
To: [EMAIL PROTECTED]
Subject: [FW1] User auth question



Greetings all,

I have a SR community using digital certs (IKE) to authenticate, and the
generic* user so I don't have to create individual user accounts on the
fw. However, I now need to create a second client encrypt rule to limit
certain SR users to a subset of resources. I've attempted this by only
creating those users that I want to encrypt on a different rule. All the
regular users still match against the generic user.

However, all users, including the ones created on the fw, are triggering
on the rule that has the generic user. Here's the config:

Users:
Generic*        member of AllUsers group
x-limited       member of Limited group


Rules on the firewall:

Rule    src             dst     protocol                action
4       Limited@any     serverA http            client encrypt
5       AllUsers@any    any     any             client encrypt

when x-limited authenticates and attempts to connect to a resource in
the encryption domain, the rule that is triggered is rule 5, not rule 4.
This even when genric* only is the only member of AllUsers.

Should this work? If not, any pointers?

Regards,

--- Gavin



========================================================================
====
====
     To unsubscribe from this mailing list, please see the instructions
at
               http://www.checkpoint.com/services/mailing.html
========================================================================
====
====
***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to