PROBLEM SUMMARY In ACE 5.0 Master and Checkpoint FW1,
or ACE 3.3.1 or 4.0 client, an "Acting Server" must be defined
in the 5.0 sdconf.rec and put on the ACE agent/client.
PROBLEM SUMMARY In ACE 5.0 and multi-NIC agent/client,
the hostname, which is the primary address, MUST be the
NIC that is used to communicate with the ACE master
when using ACE 5.0 agent/client software.
FIX-WORKAROUND -- Assign Acting Servers (preferred)
Assign Acting Servers for the FW agent/client on ACE 5.0 master
Generate Config File (sdconf.rec)
Copy sdconf.rec to FW agent/client
rm /var/ace/securid or /opt/ace/data/securid
generate node secret via authentication
Tested FW1 SP4, ACE 5.0 Server, I was able to demonstrate that
SecuRemote works when "Assign Acting Server".
This is the preferred fix since Checkpoint is probably not
using the ACE 5.0 libraries.
I demonstrated that the ACE 3.3.1 sdshell
and the ACE 4.0 sdshell work when the Acting Server is defined.
It also works whether the hostname is the external or the
internal interface of the firewall.
In my 3.3.1 environment, the hostname is the external interface
and the interface used communicating with the ACE master is
the internal interface/secondary address.
This does NOT work for ACE 5.0 agent/client software.
FIX-WORKAROUND -- Move hostname to internal interface.
Associate the hostname with the interface that
is used to communicate with the ACE master.
I demonstrated that ACE authentication works with 5.0 sdshell
when the hostname is on the internal interface.
This is the only workaround that works for ACE 5.0 agent/client software.
BUT, the firewall users older libraries, to the firewall will
authenticate, repeatedly, if Acting Server is defined.
After upgrading my ACE master (Securid) from v 3.3.1 to 5.0
SecuRemote authentication at the firewalls failed.
I also used /opt/ace/prog/sdshell on the firewall to
test the authentication in a simpler (non-firewall) environment
and to generate the node secret.
The problem is that ACE 5.0 sdshell works ONCE to generate
the node secret, but fails on the second or later use,
because the node secret is not correct.
08/29/2001 22:58:38U --------/diamond2 ---->/
08/29/2001 17:58:38L Node verification failed t-hedron.adc.com
greg
_______________________________________________________________
Greg Polanski mailto:[EMAIL PROTECTED]
ADC Telecommunications, Inc. 952.917.0548
MS 36 952.917.0651 FAX
PO Box 1101 612.309.4493 cell/pager
Minneapolis, MN 55440-1101 [EMAIL PROTECTED]
_______________________________________________________________
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
