Thanks,
I've gone through setting up the internalCA and it certified properly (the
network object is Case-Sensitive). I have the generic* user defined and
also another user for topologoy downloads only, with a FW-1 password.
When i login to SecuRemote with DOMAIN\username, I get authentication
denied, but I see no attempt from the firewall to access the RADIUS server.
Any other ideas?
thanks for taking some time to help with this.
-----Original Message-----
From: Frost, Timothy E [mailto:[EMAIL PROTECTED]]
Sent: Sunday, March 18, 2001 9:29 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [FW1] RADIUS Setup
Patrick,
> I get no loggin message on the RADIUS server about authentication
> even being attempted, but I get the following in the firewall logs:
> reject rule 0 reason Refused Topology request.
> Authentication scheme not allowed for user.
This error message indicates that you have turned off the property
Respond to Unauthenticated topology downloads
but have NOT enabled IKE authentication for the generic* user.
You have two options:
1: Enable unauthenticated topology downloads
2: Use Hybrid mode IKE
The password used for topology download is assigned in the IKE tab for the
generic* user (Encryption/IKE, Authentication tab). It will be the same for
ALL users authenticated by Radius. (Note that this REQUIRES IKE to be
enabled). Radius will NOT be used to validate this password.
The Radius password is used for the SecuRemote encrypted session, for either
FWZ or for Hybrid mode IKE.
--
Timothy Frost mailto:[EMAIL PROTECTED]
EDS New Zealand Fax: +64-4-495-0473
8 Gilmer Terrace Phone: +64-4-495-0504
P O Box 3647
Wellington
New Zealand
-----Original Message-----
From: Patrick Baird [mailto:[EMAIL PROTECTED]]
Sent: Sunday, March 18, 2001 3:42 AM
To: '[EMAIL PROTECTED]'
Subject: [FW1] RADIUS Setup
All,
FW-1 4.1 SP3
NT sp6a
RADIUS - W2k IAS
I have defined the following:
Firewall Object: Authentication Tab - RADIUS
I have defined a network object for my RADIUS server (Call it Radius1)
I have created a RADIUS server object - entered the shared secret
- I have selected RADIUS V2.0
I have created a RADIUS Group object, and placed the above RADIUS Server
object in it.
I have created the generic* user, added RADIUS, with my RADIUSServer group.
I have added the generic* user to the appropriate SR group for rule
definition.
I have unchecked the 'allow fw-1, blah, blah connections' in the properties
pane and have defined the appropriate connection rules manually
(topo,key,IKE,mgmt, etc...->they all work)
Before my stealth rule I have added the following rule:
FW Radius1 UDP RADIUS Accept Long SRC
On the w2k IAS server, I have added the FW object for authentication and
enabled it in active directory. The server does appear in the RAS & IAS
Servers group. The user does have RAS access enabled
I get no loggin message on the RADIUS server about authentication even being
attempted, but I get the following in the firewall logs:
reject rule 0 reason Refused Topology request. Authentication scheme not
allowed for user.
1 Question, do I need the routing and remote access service running on the
IAS machine?
If I switch to fw-1 password on the firewall object, my SR rules work fine.
Can someone please tell me what I'm missing, I'm going crazy!!!!
thanks in advance.
PDB
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
