NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] ACE/Checkpoint-VPN authentication problems





Mick:

     When you added the FWs as clients on your SecurID server did you remember
to add the Secondary nodes as well?

     Basically what I did is to add the FQDN for the external interface and then
all of the other physical IPs for the FW as secondary nodes and that did the
trick.

     You can also perform a sniffer trace on the subnet that your SecurID server
is and see what IP address the auth. request is coming from off your FW (as well
as a trace on the FW side to see the traffic leaving the FW.).

     Also when you pull up the FW client in SecurID is the "Sent Node Secret"
box checked? If it is uncheck it and then attempt to authenticate to the
firewall again. If everything worked like it should, if you now go back to the
SecurID DB and check the FW client you should see that the "Sent Node Secret"
box is once again checked. Your users should also be able to authenticate to the
FW.

     Hope that this helps. If not re-post or send email directly to me and I'll
see what I can remember. Good luck.








[email protected] on 01/31/2001 09:05:20 AM
                                                              
                                                              
                                                              
  To:          [email protected]       
                                                              
  cc:          (bcc: James E Clukey/Rush/RSH)                 
                                                              
                                                              
                                                              
  Subject      [FW1] ACE/Checkpoint-VPN authentication        
  :            problems                                       
                                                              









I have an ACE/Server 4.1 on NT 4 (SP6a) attaching to the Internal Port of a
Nokia IP330 Firewall (Checkpoint-1 v4.1 sp2).  The ACE/Server has been set up
correctly according to RSA and other documents I have gleaned from the web.  The
sdconf.rec file has been placed in the /var/ace directory on the Firewall and
both the ACE/Server and the Firewall are setup as clients.  Address Resolution
has been setup and tested in both directions.

On the external port of the Firewall we have set up a Windows 2000 laptop using
Checkpoint VPN-1 (v4.4 build 4166).  Each login attempt gives the message
"Access Denied".  The error log on the ACE/Server shows "PASSCODE INCORRECT".
The Firewall Log shows "Access denied- reason Client Encryption"

Encryption is DES between the servers.  User encryption uses FWZ.  User
authentication in the firewall is set to SecurID, User Encryption is FWZ with
both options set to "Any".  There are only two rules in the Firewall:

1.  Source:SecureIDuser@any, Destination:Any, Service:Authenticated, Action:
User Authentication.
2.  Source:Any, Destination:Any, Service:Any, Action:Accept

For some reason the Node secret (Securid file) is either not sent to or not
accepted by the Firewall.  If an NT based Firewall replaces the Nokia everything
works perfectly.

Anyone out there with the same problem, or even better, a solution?

Mick

E-MAIL DISCLAIMER: The information in this e-mail is confidential and may be
legally privileged. It is intended solely for the addressee and access to the
e-mail by anyone else is unauthorised. If you are not the intended recipient,
any disclosure, copying, distribution or any action taken or omitted to be taken
in reliance on it, is prohibited and may be unlawful. When addressed to our
clients, any opinions or advice contained in this e-mail are subject to the
terms and conditions expressed in the governing client engagement letter or
contract. Incoming communications will be monitored, if you have received this
is e-mail in error please forward to [email protected]




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================





================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.