Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Radius/NT Groups

from Steven J. Surdock, PE [Permanent Link]
Subject: Re: [FW-1] Radius/NT Groups
From: "Steven J. Surdock, PE" <ssurdock AT ENGINEERED-NET DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Thu, 24 Jul 2003 17:27:39 -0400 
I have had good luck with IAS and Check Point.  There is also support
for groups, although I have not tried the following...

Groups of RADIUS Users To create policy rules for groups of users which are
not defined on the SmartCenter Server but are defined on a RADIUS server
(including any RADIUS-compliant server like SecurId ACE/Server), proceed as
follows:

1) Enable the feature by changing the value of the attribute
add_radius_groups to true. This attribute is located under the
firewall_properties object in the properties table.
2) Make sure that for each RADIUS server user has a profile that contains
the attribute "Class" (or "Filter-Id" or any other RFC reply string
attribute). The value of the attribute is the group which the user belongs
to. In order to change "Class" to another attribute, modify the value of the
firewall_properties attribute radius_groups_attr.
3) In the SmartDashboard, create a user group with the name "RAD_<group
which the RADIUS users belong to>". The group may be empty.
4) Define a generic* user that uses this server for RADIUS authentication.





Pedro Boavida wrote:
> Hi,
>
> Is there workaround for authentication with radius/nt domain groups,
> since its not currently functional ?
>
> TIA,
>
> Pedro Boavida

Mailing list for discussion of Firewall-1 wrote:
> I had the same situation at a customers, so we installed Internet
> Authentication Service on a Win2k server that has access to the
> Domain accounts - and then used the generic* user...
>
> it doesn't work very good though..

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] AW: [FW-1] NG on Multiple Processors, Olaf Lange
Next by Date:  Re: [FW-1] VPNs dying every hour, Frank Darden
Previous by Thread:  Re: [FW-1] Radius/NT Groups, Scott Friedman
Next by Thread:  Re: [FW-1] Radius/NT Groups, Pedro Boavida
Indexes:  [Date] [Thread] [Top] [All Lists]