[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AW: [FW1] securid and the FW 4.0 sp1
Hi!
I had the same problem with Firewall-1 on NT. I solved it just one minute ago.
First I used the primary IP-address of the firewall for the ACE/Client. I defined all the other interfaces as secondary nodes.
When I tried to authenticate I got these well known messages of wrong user password or passcode.
Then I used the IP-address of the interface attached to the network with my ACE-Server for the ACE-Client and defined the other addresses as secondary nodes. And that worked!
I still don't understand this. Perhaps someone can explain me. Why should I define secondary nodes?
______________________________________________________________________
Michael Simon
Siemens AG
ICN VD SV West HG SI
Tel: +49 201 2661 514
Fax: +49 201 2661 515
neue Mailadresse: michael.simon2@esn.siemens.de
PGP-Fingerprint: F3C8 88F2 13E6 A245 B9C8 3B15 E172 AAB5 44CE 01F1
> -----Urspr> üngliche Nachricht-----
> Von: Dan Lundien [SMTP:lundien@nlm.nih.gov]
> Gesendet am: Donnerstag, 9. September 1999 19:54
> An: fw-1-mailinglist@lists.us.checkpoint.com; mjs@cncdsl.com
> Betreff: RE: [FW1] securid and the FW 4.0 sp1
>
>
> One thing you can try is to go to the firewall and remove (or rename)
> the SECURID file in /var/ace. Then goto the securid server and edit
> the firewall client entry and uncheck the secret sent box. Then try
> and authenicate from the firewall. This should cause a new secret to
> be sent.
>
> Dan Lundien
> Sr. System Administrator
> appnet, inc.
>
>
>
> > From fw-1-mailinglist-owner@lists.us.checkpoint.com Thu Sep 9 12:43 EDT 1999
> > X-Sender: mjs@pop3.cncdsl.com
> > Date: Thu, 09 Sep 1999 09:34:25 -0700
> > To: fw-1-mailinglist@lists.us.checkpoint.com
> > From: Michael Seaman <mjs@cncdsl.com>
> > Subject: RE: [FW1] securid and the FW 4.0 sp1
> > Mime-Version: 1.0
> >
> >
> >
> > > > > Things to check when getting a new firewall to talk to your
> > > > > existing ACE server:
> > > > >
> > > > > 1) Make sure that the ace server config has your firewall listed,
> > > > > and has the "sent node secret" checkbox cleared. This will enable
> > > > > the two to exchange node secrets initially and allow further
> > > > > communication. Note that if you do this, clients will be put into
> > > > > "new pin mode" so if they have defined a pin number already, they
> > > > > will be asked to define a new one.
> > Yep. It is actually greyed out in the edit client section of the ace
> > server. Though the fw doc says to set the ace server client definition for
> > the fw to be unix I tried all the other options. Yes I am desperate.
> >
> > > > > 2) Ensure that the token is "enabled" on the server. No offence, but
> > > > > you'd be surprised how much this actually crops up... =) (It's the
> > > > > old "Is it plugged in? Is it switched on" cliche.)
> >
> > The was the first thing I checked. I also checked to verify that token I
> > am using is not locked out. I have had the token card locked out several
> > times now. Also the token user is also allowed access from the client
> > (the fw).
> >
> >
> > > > >
> > > > > 3) You may need to "synchronise" the token with the ACE server. The
> > > > > clock in the token needs to match the one on the server to within a
> > > > > few seconds, so synchronise the token on the server with the number
> > > > > displayed on the token - you may have to enter two codes displayed
> > > > > by the token for this process to work.
> > I thought this might be the silver bullet. The time was out of sync from
> > the ace server by about 2 minutes. I synced up the fw to the ace server
> > time stamp and tried with the same results. As a point of interest I check
> > my another FW I have (fw4 sp3). The nt unit has the standard pc clock and
> > is off by approx 6.5 minutes. I am able to authenticate from the nt fw.
> >
> > I check the time zone out. The Solaris FW is set to pst and the ace server >
> > is also set to pst. I tried setting the time zone on the solaris box to
> > local time and ran through the login. Again access denied by ....
> >
> >
> > > > > 4) You've already said you snooped and saw the ACE/firewall
> > > conversation, but this is worth mentioning. Make sure you've created a
> > > "generic*" user on your firewall with authentication set to "securID". If
> > > this isn't done, you'd need to create user id's on the firewall for
> > > every securid user, and we don't wanna do that now do we?
> >
> > I have generic* user created. I also tried creating a user with the same
> > user name as the securid username with authentication set to
> > securid. Again the same results.
> >
> > > > >
> > > > > Hopefully this will help you out.
> > > > >
> > > > > regards,
> > > > >
> > > > > Scott.
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Michael Seaman [SMTP:mjs@cncdsl.com]
> > > > > > Sent: Wednesday, September 08, 1999 10:36 PM
> > > > > > To: fw-1-mailinglist@lists.us.checkpoint.com
> > > > > > Subject: [FW1] securid and the fw
> > > > > >
> > > > > >
> > > > > > *** Warning : this message originates from the Internet ****
> > > > > >
> > > > > >
> > > > > > All,
> > > > > >
> > > > > > I have a solaris 2.6 sparc 4.0 sp1 firewall, qfe etc...I have an ace
> > > > > > server. I have two other fw (also checkpoint 4.0sp3 nt sp4) that are
> > > > > > currently very happy to authenticate with the ace server. I set up
> > > > the
> > > > > > solaris fw as per the securid notes...move the sdconf.rec file to
> > > > > > /var/ace.
> > > > > >
> > > > > > The problem: When I telnet to port 259 on the solaris box and try out
> > > > my
> > > > > > token card I get an "access denied for user gooduser by securid".
> > > > When I
> > > > > > take the token to another firewall and try gooduser out they works
> > > > > > fine. Yes gooduser is a memeber of the client that is the solaris fw.
> > > > > >
> > > > > > I did a snoop on the segment where the ace server is and I see a
> > > > > > conversation take place. According to the securid logs the gooduser
> > > > is
> > > > > > giving a bad pw for the solaris unit.
> > > > > >
> > > > > > Does anybody have any thoughts?
> > > > > >
> >
> > ----------------------------------------------------------------------------
> > ----------------------------------------------------
> > Michael Seaman Bankserv
> > Network Manager 222 Kearny #414
> > 415.217.4518 vm San Francisco
> > 415.907.3032 pg Alpha Page =4159073032@page.metrocall.com
> > ----------------------------------------------------------------------------
> > ----------------------------------------------------
> >
> >
> > ================================================================================
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ================================================================================
> >
>
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================