[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Firewall-1 4.0 and Implicit Authentication

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Thank you so much for all your help so far, but I am still nowhere!!!
Anyway I implement it using the UserAuth or the SessionAuth it still asks me
for UserName/Password every single time!!!
 One step back!

1.  I followed the article "Implicit Client Auth (Session Auth for HTTP is
Slow)" step by step and have performed the following:

   a.)  Added the line:   ":automatically_open_ca_rules (true)" to OBJECTS.C
right after the ":props" line. (However, there is another line right down in
the middle of :props section that says ":automatically_open_ca_rules
(false). So am I supposed to remove that line or leave it in tact???  Well I
have tried both!)

   b.) Stopped/Started the FW1 Service!

   c.)  Added two rules to the security policy:
     AllUsers@InternalNet     Any     HTTP/FTP/TELNET     ClientAuth
     AllUsers@InternalNet     Any     HTTP/FTP/TELNET     UserAuth (or
SessionAuth)
     (Apparently there are some confusion from different people, in which
order you should place both lines!?  I have tried both orders!)

   d.)  ClientAuth Properties:
     GENERAL: Standard/Manual/Log
     LIMITS:  Indefinite/Infinite

   e.)  Policy Authentication Properties:
     UserAuth: 800 Minutes
     ClientAuth(Enable Wait Mode): Not Checked
     Track: Alert

What else can I check for to make sure that the rest of the configuration is
working properly.  Does anything else depends of the ImplicitAuth to work,
like Security Servers?  How can I check whether they are setup correctly!

Here is my Security Servers Config:
   21     in.aftpd          wait  0
   80     in.ahttpd         wait  0
   513    in.arlogind       wait  0
   25     in.asmtpd         wait  0
   23     in.telnetd        wait  0
   259    in.aclientd       wait  259
   10081  in.lhttpd         wait  0
   900    in.ahclientd      wait  900
   0      in.pingd          respawn 0

Does that look correct?  I guess I will need some security servers if I use
UserAuth and will not need the if I use the SessionAuth.  I would much
rather use the UserAuth with the single logon and be able to use the
Resources with Services.




Once again, Thank You.  Patiently waiting . . . .



> -----Original Message-----
> From: Dameon D. Welch [mailto:dwelch@hotmail.com]
> Sent: Tuesday, April 27, 1999 8:31 PM
> To: jake.rog@ttcmail.com; FW1 Mailing List
> Subject: Re: [FW1] Firewall-1 4.0 and Implicit Authentication
>
>
>
> I have a feeling it's because your client auth properties are not set
> correctly. Check to see that the timeout is set adequately and that the
> number of connections allowed is "infinite" (or a really high number).
>
> -- PhoneBoy
>
> > Thank you. I have tried to reverse the order:
> >
> > All@any     any     http     ClientAuth   Long     GW
> > All@any     any     http     UserAuth     Long     GW
> >
> > No luck, the client is still being asked to authenticate on
> every request,
> > just like the ClientAuth Rule is NOT working?  I have also tried the
> > ImplicitAuth with SessionAuth with the same result. Back in the same
> court.
> > What else I can check for?
>
>
> ==================================================================
> ==============
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==================================================================
> ==============
>

    [ Part 2, Application/MS-TNEF  1.6KB. ]
    [ Unable to print this part. ]