Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[FW-1] RADIUS not working for admins but is working for SecuRemote

from SO-Checkpoint-L [Permanent Link]
Subject: [FW-1] RADIUS not working for admins but is working for SecuRemote
From: SO-Checkpoint-L <Checkpoint-L AT COMMNET DOT EDU>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Wed, 31 Mar 2004 13:51:08 -0500 
We've been using Steel-belted RADIUS for authenticating SecuRemote users with 
no problems. We decided to create a FW admin using the SmartDashboard user 
interface instead of having the person defined in cpconfig (using username and 
password). Firewall version is NGAI R54.

I created the NAS client on the Steel-belted side and the requests are going 
fine to the RADIUS server, but the RADIUS server is rejecting the 
authentication with "unable to find user with matching password"

What's odd is, the same user can authenticate fine through SecuRemote using the 
same RADIUS server. The only difference is, instead of the RADIUS request 
coming from the FW modules, it's coming from the management station.

It's almost like the management station is not using the correct shared secret. 
When I change the shared secret on the Steel belted side for the FW management 
client, I get the same error. But as far as I can see, in the FW gui, there is 
only 1 shared secret to put in - whether it's my SecuRemote clients using it or 
the FW management stations using it. So it can't be wrong! I verified the 
shared secret is the same for my FW module and my FW management server.

I even tried to eliminate authenticating to our remote NT groups and created a 
local Steel-belted user that exactly matches (case-wise) the user I defined in 
the FW Gui. Same error - cannot authenticate.

Does anyone have a similar setup where both FW admins and SecuRemote users are 
using the same Radius server? Anything else I need to define for the profile on 
the Steel-belted side? I tried playing with a couple of service-type settings 
to no avail. Full logging on Steel belted side show no indication of what the 
problem is.

Thanks,
Karen

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [FW-1] RADIUS not working for admins but is working for SecuRemote, SO-Checkpoint-L <=
Previous by Date:  Re: [FW-1] Next version of Checkpoint firewall, Robert Plaenk
Next by Date:  Re: [FW-1] Next version of Checkpoint firewall, Covington, Chris
Previous by Thread:  [FW-1] Inconsistent information Found !!, Brett, Gary
Indexes:  [Date] [Thread] [Top] [All Lists]