[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] ACE/Checkpoint-VPN authentication problems
Mick: When you added the FWs as clients on your SecurID server did you remember to add the Secondary nodes as well? Basically what I did is to add the FQDN for the external interface and then all of the other physical IPs for the FW as secondary nodes and that did the trick. You can also perform a sniffer trace on the subnet that your SecurID server is and see what IP address the auth. request is coming from off your FW (as well as a trace on the FW side to see the traffic leaving the FW.). Also when you pull up the FW client in SecurID is the "Sent Node Secret" box checked? If it is uncheck it and then attempt to authenticate to the firewall again. If everything worked like it should, if you now go back to the SecurID DB and check the FW client you should see that the "Sent Node Secret" box is once again checked. Your users should also be able to authenticate to the FW. Hope that this helps. If not re-post or send email directly to me and I'll see what I can remember. Good luck. [email protected] on 01/31/2001 09:05:20 AM To: [email protected] cc: (bcc: James E Clukey/Rush/RSH) Subject [FW1] ACE/Checkpoint-VPN authentication : problems I have an ACE/Server 4.1 on NT 4 (SP6a) attaching to the Internal Port of a Nokia IP330 Firewall (Checkpoint-1 v4.1 sp2). The ACE/Server has been set up correctly according to RSA and other documents I have gleaned from the web. The sdconf.rec file has been placed in the /var/ace directory on the Firewall and both the ACE/Server and the Firewall are setup as clients. Address Resolution has been setup and tested in both directions. On the external port of the Firewall we have set up a Windows 2000 laptop using Checkpoint VPN-1 (v4.4 build 4166). Each login attempt gives the message "Access Denied". The error log on the ACE/Server shows "PASSCODE INCORRECT". The Firewall Log shows "Access denied- reason Client Encryption" Encryption is DES between the servers. User encryption uses FWZ. User authentication in the firewall is set to SecurID, User Encryption is FWZ with both options set to "Any". There are only two rules in the Firewall: 1. Source:SecureIDuser@any, Destination:Any, Service:Authenticated, Action: User Authentication. 2. Source:Any, Destination:Any, Service:Any, Action:Accept For some reason the Node secret (Securid file) is either not sent to or not accepted by the Firewall. If an NT based Firewall replaces the Nokia everything works perfectly. Anyone out there with the same problem, or even better, a solution? Mick E-MAIL DISCLAIMER: The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee and access to the e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients, any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing client engagement letter or contract. Incoming communications will be monitored, if you have received this is e-mail in error please forward to [email protected] ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|