NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] RE: Problems with fw-1 4.1 sp2 and Cisco ACS radius.



I have a rule in the firewall that says allusers@all_internal_networks any
http, https user_auth account

Anything else that i can check?

Thanks for your time.

-----Original Message-----
From: Jim Brown [mailto:[email protected]]
Sent: 24 January 2001 20:09
To: 'Langa Kentane'; Jim Brown
Cc: Firewall-1 Mailing List (E-mail)
Subject: RE: [FW1] RE: Problems with fw-1 4.1 sp2 and Cisco ACS radius.



The *generic user needs to belong to a group that is enabled by a rule.

-----Original Message-----
From: Langa Kentane [mailto:[email protected]]
Sent: Wednesday, January 24, 2001 7:36 AM
To: 'Jim Brown'
Cc: Firewall-1 Mailing List (E-mail)
Subject: [FW1] RE: Problems with fw-1 4.1 sp2 and Cisco ACS radius.



There is a generic user on the firewall... I did not know this... thanks.

No expiry date
Nothing under belongs to groups
Authentication: Radius server
Location: src any dest any
time: 24/7
encryption: fwz

I also dounble checked the radius server properties and host points to the
right host
service: radius udp
priority one
double checked the shared secret
and version 2.0 compat.

Your help is much appreciated.  What can I check next?

-----Original Message-----
From: Jim Brown [mailto:[email protected]]
Sent: 24 January 2001 16:27
To: 'Langa Kentane'
Subject: RE: Problems with fw-1 4.1 sp2 and Cisco ACS radius.



In order to pass through authentication to the NT domain via the ACS box you
must create a group on the firewall with at least one user. The *generic
user.

Have you done this?

I am using a similar setup with Cisco ACS and pass through authentication to
an NT domain.

-----Original Message-----
From: Langa Kentane [mailto:[email protected]]
Sent: Tuesday, January 23, 2001 11:36 PM
To: 'Jim Brown'
Cc: Firewall-1 Mailing List (E-mail)
Subject: RE: [FW1] Problems with fw-1 4.1 sp2 and Cisco ACS radius.


My ACS box authenticates users from it's NT Domain database.  There are no
users created on the firewall and no users created on the ACS box, just
users on the NT Domain.

Thanks.  I hope this provides you with enough informaation to be able to
help me.

Regards

-----Original Message-----
From: Jim Brown [mailto:[email protected]]
Sent: 23 January 2001 17:03
To: 'Langa Kentane'
Subject: RE: [FW1] Problems with fw-1 4.1 sp2 and Cisco ACS radius.


Are you using the *generic account? I have experienced problems if I have
the user defined elsewhere and wanted them authenticated using the *generic
account for Internet access.

If this is the case please let me know and I will explain in greater detail.

-----Original Message-----
From: Langa Kentane [mailto:[email protected]]
Sent: Tuesday, January 23, 2001 2:53 AM
To: 'Jim Brown'
Cc: Firewall-1 Mailing List (E-mail)
Subject: RE: [FW1] Problems with fw-1 4.1 sp2 and Cisco ACS radius.



No failed attempt entries on the ACS logs.

-----Original Message-----
From: Jim Brown [mailto:[email protected]]
Sent: 22 January 2001 16:28
To: 'Langa Kentane'; Firewall-1 Mailing List (E-mail)
Subject: RE: [FW1] Problems with fw-1 4.1 sp2 and Cisco ACS radius.


Are there any entries in the failed attempts log on the ACS server?

-----Original Message-----
From: Langa Kentane [mailto:[email protected]]
Sent: Monday, January 22, 2001 3:20 AM
To: Firewall-1 Mailing List (E-mail)
Subject: [FW1] Problems with fw-1 4.1 sp2 and Cisco ACS radius.



Greetings.
I am having a problem with our user/client auth.
Everytime someone tries to connect to the internet, they get the auth window
and it says radius not responding.  You then enter your username and
password, bring back the window, after the third time, it gives you:

Error 401
FW-1 at Primary: Unauthorized to access the document.

Authorization is needed for FW-1.

The authentication required by FW-1 for langa1 is: RADIUS.

Reason for failure of last attempt: RADIUS servers not responding 

I have tested the radius server with NTRadping and it responds all the time.
I check the secret key between the firewall and the radius server, it's
correct.  The config on the radius server has not changed since the first
time the stuff was installed.  The only new software we installed on the ACS
box was SecureID stuff.  I don't think that is the problem also because
after having problems, I put a backup box in place of the ACS box, exact
same config, but without the SecureID.  The same problem occurs, wich leaves
me with one option only, must the the firewall.  We recently upgraded from
an IP330 to an IP440 3 weeks ago.  I have not noticed wether the problem
started after that or before that.

Please help.   I have tried everything that I know, I am total baffled by
this problem.  Lack of experience maybe?

Thanks in advance.

__________________________________________________________
Langa Kentane		| TEL:Security Administrator	| Cell:DISCOVERY HEALTH		| http://www.discoveryhealth.co.za
__________________________________________________________________



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.