[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] securid and the FW 4.0 sp1

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: RE: [FW1] securid and the FW 4.0 sp1
From: Michael Seaman <mjs@cncdsl.com>
Date: Thu, 09 Sep 1999 09:34:25 -0700


> > > Things to check when getting a new firewall to talk to your
> > > existing ACE server:
> > >
> > > 1) Make sure that the ace server config has your firewall listed,
> > > and has the "sent node secret" checkbox cleared. This will enable
> > > the two to exchange node secrets initially and allow further
> > > communication. Note that if you do this, clients will be put into
> > > "new pin mode" so if they have defined a pin number already, they
> > > will be asked to define a new one.
Yep.  It is actually greyed out in the edit client section of the ace 
server.  Though the fw doc says to set the ace server client definition for 
the fw to be unix I tried all the other options.  Yes I am desperate.

> > > 2) Ensure that the token is "enabled" on the server. No offence, but
> > > you'd be surprised how much this actually crops up... =) (It's the
> > > old "Is it plugged in? Is it switched on" cliche.)

The was the first thing I checked.  I also checked to verify that token I 
am using is not locked out.  I have had the token card locked out several 
times now.   Also the token user is also allowed access from the client 
(the fw).


> > >
> > > 3) You may need to "synchronise" the token with the ACE server. The
> > > clock in the token needs to match the one on the server to within a
> > > few seconds, so synchronise the token on the server with the number
> > > displayed on the token - you may have to enter two codes displayed
> > > by the token for this process to work.
I thought this might be the silver bullet.  The time was out of sync from 
the ace server by about 2 minutes.  I synced up the fw to the ace server 
time stamp and tried with the same results.  As a point of interest I check 
my another FW I have (fw4 sp3).   The nt unit has the standard pc clock and 
is off by approx 6.5 minutes.  I am able to authenticate from the nt fw.

I check the time zone out.  The Solaris FW is set to pst and the ace server 
is also set to pst.  I tried setting the time zone on the solaris box to 
local time and ran through the login.  Again access denied by ....


> > > 4) You've already said you snooped and saw the ACE/firewall 
> conversation, but this is worth mentioning. Make sure you've created a 
> "generic*" user on your firewall with authentication set to "securID". If 
> this isn't  done, you'd need to create user id's on the firewall for 
> every securid user, and  we don't wanna do that now do we?

I have generic* user created.  I also tried creating a user with the same 
user name as the securid username with authentication set to 
securid.  Again the same results.

> > >
> > > Hopefully this will help you out.
> > >
> > > regards,
> > >
> > > Scott.
> > >
> > > > -----Original Message-----
> > > > From: Michael Seaman [SMTP:mjs@cncdsl.com]
> > > > Sent: Wednesday, September 08, 1999 10:36 PM
> > > > To:   fw-1-mailinglist@lists.us.checkpoint.com
> > > > Subject:      [FW1] securid and the fw
> > > >
> > > >
> > > > *** Warning : this message originates from the Internet ****
> > > >
> > > >
> > > > All,
> > > >
> > > > I have a solaris 2.6 sparc  4.0 sp1 firewall, qfe etc...I have an ace
> > > > server.  I have two other fw (also checkpoint 4.0sp3 nt sp4) that are
> > > > currently very happy to authenticate with the ace server.  I set up
> > the
> > > > solaris fw as per the securid notes...move the sdconf.rec file to
> > > > /var/ace.
> > > >
> > > > The problem:  When I telnet to port 259 on the solaris box and try out
> > my
> > > > token card I get an "access denied for user gooduser by securid".
> > When I
> > > > take the token to another firewall and try gooduser out they works
> > > > fine.  Yes gooduser is a memeber of the client that is the solaris fw.
> > > >
> > > > I did a snoop on the segment where the ace server is and I see a
> > > > conversation take place.   According to the securid logs the gooduser
> > is
> > > > giving a bad pw for the solaris unit.
> > > >
> > > > Does anybody have any thoughts?
> > > >

---------------------------------------------------------------------------- 
----------------------------------------------------
Michael Seaman          Bankserv
Network Manager         222 Kearny #414
415.217.4518 vm         San Francisco
415.907.3032 pg         Alpha Page =4159073032@page.metrocall.com
---------------------------------------------------------------------------- 
----------------------------------------------------


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Prev by Date: Re: [FW1] Supernets?
Next by Date: [FW1] Supernets?
Prev by thread: RE: [FW1] Supernets?
Next by thread: RE: [FW1] securid and the FW 4.0 sp1
Index(es):
- Date
- Thread