[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] securid and the
[ The following text is in the "iso-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. Some ]
[ characters may be displayed incorrectly. ]
If the ACE server says that the passcode was incorrect, then as far as it is
concerned, that is indeed the case. You might want to check that the seed
that you applied for that token is in fact the one relating to the token in
question. Other than than it's more than likely down to a syncronisation
issue, or a software version issue. The fact that you are getting a
successful
conversation between the two implies that you have a DES license for your
firewall
since as far as I know, a production ACE server requires DES to interact
with a
firewall.
The only other thing I can think of, is that perhaps the clocks on the ACE
server
and the token are slipping out of sync. Are you using NTP to keep the ACE
server
synchronised? I have to admit, I don't actually know if the firewall time
sync
could be an issue in this case (I have a feeling that if you're using a
"generic*"
user to pass the SecurID connection straight through to the ACE server, then
the
firewall has very little to do with it), but you might want to make sure
that both
your ACE server and firewall are NTP synchronised.
Having said all this, following the old "what did you change?" method of
troubleshooting,
I'd check the release notes for both the version of firewall you're using,
and the
version of ACE server to make sure that there are no incompatabilities. I
seem to
remember something about particular versions of ACE having problems with
certain versions
of FW-1. It's worth checking.
Sorry I couldn't give you a silver-bullet solution.
Scott.
> -----Original Message-----
> From: Steve Vazquez [SMTP:vazquez@mpi.com]
> Sent: Thursday, September 09, 1999 1:40 PM
> To: McMeekin, Scott
> Cc: 'Michael Seaman'; 'fw-1-mailinglist@lists.us.checkpoint.com'
> Subject: Re: [FW1] securid and the
>
>
> *** Warning : this message originates from the Internet ****
>
>
> I don't have a solution but am just writing to say that I've had a similar
> problem where the securid worked but after a service pack upgrade and some
> time securid on one of the firewalls stopped working. The logs on the
> securid server say that
> the password is incorrect. However if I go to a different machine and try
> the same token and PIN it works. node secret, enabled, syncronized all
> done. If anyone has other suggestions that would be appreciated.
>
> "McMeekin, Scott" wrote:
>
> > Things to check when getting a new firewall to talk to your
> > existing ACE server:
> >
> > 1) Make sure that the ace server config has your firewall listed,
> > and has the "sent node secret" checkbox cleared. This will enable
> > the two to exchange node secrets initially and allow further
> > communication. Note that if you do this, clients will be put into
> > "new pin mode" so if they have defined a pin number already, they
> > will be asked to define a new one.
> >
> > 2) Ensure that the token is "enabled" on the server. No offence, but
> > you'd be surprised how much this actually crops up... =) (It's the
> > old "Is it plugged in? Is it switched on" cliche.)
> >
> > 3) You may need to "synchronise" the token with the ACE server. The
> > clock in the token needs to match the one on the server to within a
> > few seconds, so synchronise the token on the server with the number
> > displayed on the token - you may have to enter two codes displayed
> > by the token for this process to work.
> >
> > 4) You've already said you snooped and saw the ACE/firewall
> conversation,
> > but this is worth mentioning. Make sure you've created a "generic*" user
> > on your firewall with authentication set to "securID". If this isn't
> done,
> > you'd need to create user id's on the firewall for every securid user,
> and
> > we don't wanna do that now do we?
> >
> > Hopefully this will help you out.
> >
> > regards,
> >
> > Scott.
> >
> > > -----Original Message-----
> > > From: Michael Seaman [SMTP:mjs@cncdsl.com]
> > > Sent: Wednesday, September 08, 1999 10:36 PM
> > > To: fw-1-mailinglist@lists.us.checkpoint.com
> > > Subject: [FW1] securid and the fw
> > >
> > >
> > > *** Warning : this message originates from the Internet ****
> > >
> > >
> > > All,
> > >
> > > I have a solaris 2.6 sparc 4.0 sp1 firewall, qfe etc...I have an ace
> > > server. I have two other fw (also checkpoint 4.0sp3 nt sp4) that are
> > > currently very happy to authenticate with the ace server. I set up
> the
> > > solaris fw as per the securid notes...move the sdconf.rec file to
> > > /var/ace.
> > >
> > > The problem: When I telnet to port 259 on the solaris box and try out
> my
> > > token card I get an "access denied for user gooduser by securid".
> When I
> > > take the token to another firewall and try gooduser out they works
> > > fine. Yes gooduser is a memeber of the client that is the solaris fw.
> > >
> > > I did a snoop on the segment where the ace server is and I see a
> > > conversation take place. According to the securid logs the gooduser
> is
> > > giving a bad pw for the solaris unit.
> > >
> > > Does anybody have any thoughts?
> > >
> > >
> --------------------------------------------------------------------------
> > > --
> > > ----------------------------------------------------
> > > Michael Seaman Bankserv
> > > Network Manager 222 Kearny #414
> > > 415.217.4518 vm San Francisco
> > > 415.907.3032 pg Alpha Page =4159073032@page.metrocall.com
> > >
> --------------------------------------------------------------------------
> > > --
> > > ----------------------------------------------------
> > >
> > >
> > >
> ==========================================================================
> > > ======
> > > To unsubscribe from this mailing list, please see the
> instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > >
> ==========================================================================
> > > ======
> > The Royal Bank of Scotland plc is registered in Scotland No 90312.
> Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB.
> >
> > The Royal Bank of Scotland plc is regulated by IMRO, SFA and Personal
> Investment Authority.
> >
> > This e-mail message is confidential and for use by the addressee only.
> If the message is received by anyone other than the addressee, please
> return the message to the sender by replying to it and then delete the
> message from your computer.
> >
> > 'Internet e-mails are not necessarily secure. The Royal Bank of Scotland
> plc does not accept responsibility for changes made to this message after
> it was sent.'
> >
> >
> ==========================================================================
> ======
> > To unsubscribe from this mailing list, please see the instructions
> at
> > http://www.checkpoint.com/services/mailing.html
> >
> ==========================================================================
> ======
>
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
The Royal Bank of Scotland plc is registered in Scotland No 90312. Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB.
The Royal Bank of Scotland plc is regulated by IMRO, SFA and Personal Investment Authority.
This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer.
'Internet e-mails are not necessarily secure. The Royal Bank of Scotland plc does not accept responsibility for changes made to this message after it was sent.'
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================