Re: [FW-1] User Authentication issue

Subject:	Re: [FW-1] User Authentication issue
From:	Sergio Alvarez <seralvar AT GMAIL DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 30 Jan 2007 16:34:43 -0600

Thanks Simon, I guess I was confused as I thought the authentication that
would show this behavior was Session Authentication.

I've been working with CP firewalls for quite a while but have not had much
experience with authentication configurations, as you might see.

Regards



On 1/30/07, Simon Desmeules <sdesmeules AT gosecure DOT ca> wrote:


Sergio, this is the default behavior of User Authentication and will
require an authentication for every connection. For example, if you go to
msn.com, it will prompt you for about 15 authentications because the
authentication realm is different ( check out the auth header window ).

Deployment of user authentication isn't normally used for INTERNET usage
because of this annoyance it causes users, client authentication is more
reasonable however be aware of how it authenticates.
User auth is very secure and often used for specific web servers requiring
few connections.

Regards,
Simon.

- - - -
Check out the Syngress NGX book!
http://www.syngress.com/catalog/?pid=3340
- - - -
GoSecure Inc.
407 McGill # 900
Montréal, QC H2Y 2G2
tél.:  514.287.7427 x229
fax.: 514.287.9734
Urgence 24 heures 1-888-287-5858

-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:
FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Sergio Alvarez
Sent: Tuesday, January 30, 2007 4:05 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] User Authentication issue

Hello,

I just helped a customer to configure User Authentication for HTTP for a
small group of  users that reside on a DMZ. We created the users (with CP
password authentication), the group of users and the rule on which that
group, restricted to the DMZ network, is the source, the destination is
any,
the service is HTTP and the action has User Authentication, on which we
selected the option "HTTP: All servers" in opposition of the default
"predefined servers".

When the users try to browse a web page, they get the authentication
challenge and they get authenticated ok, but then every time they click on
a
new link, the challenge window comes up again and they have to
authenticate
one more time in order to continue. Seems like even when it is User
Authentication, is behaving like Session Authentication.

We checked the User Authentication Session Time out and it is on the
default
setting of 15 minutes both on Global Properties and the gateway object,
which by the way is an active/standby HA pair.

Everything is NGX R61 and runs over SPLAT.

Has anyone seen this before? I don't seem to find an answer on the SK.

Thanks in advance for the help.

Regards

--
Sergio Alvarez
(506)8301342

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================




--
Sergio Alvarez
(506)8301342

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] User Authentication issue, Sergio Alvarez Re: [FW-1] User Authentication issue, Simon Desmeules Re: [FW-1] User Authentication issue, Sergio Alvarez <=

Previous by Date:	Re: [FW-1] User Authentication issue, Simon Desmeules
Next by Date:	Re: [FW-1] Intel Quad Drivers for SPLAT NGX R62, Corrado Motta
Previous by Thread:	Re: [FW-1] User Authentication issue, Simon Desmeules
Next by Thread:	[FW-1] ngx policy install failing, Gary Scott
Indexes:	[Date] [Thread] [Top] [All Lists]