SecurID Config

Have you thought about using Radius to proxy the auth
request to RSA,
it's much easier.


-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Erin
Young
Sent: Wednesday, June 28, 2006 11:59 AM
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] SecurID Config

I've tried the method using the vip defined in the agent
host and no
luck, 
so i am know going to the next method, a seperate agent host
for each of
the 
Nokia's. I have two sets of documentation from checkpoint
and one does
not 
state anyhting about generating the node secret file for the
agent host 
while the other one does. Which is correct?

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hi,
  The problem with Radius to proxy the auth requesto RSA is
that you need a 
  Radius server to do this.  Furthermore, RSA ACE Server
also comes with
  native radius so you don't really need to another radius
box for proxy.
   
  The problem with this solution is that radius is supported
for P-1 authentication
  in NGx R60 or higher.  It is NOT supported for NG with AI
or lower.
   
  My 2c.

"Larson, Todd (LNG-DAY)" <Todd.LarsonLEXISNEXIS.COM> wrote:
  Have you thought about using Radius to proxy the auth
request to RSA,
it's much easier.


-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Erin
Young
Sent: Wednesday, June 28, 2006 11:59 AM
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] SecurID Config

I've tried the method using the vip defined in the agent
host and no
luck, 
so i am know going to the next method, a seperate agent host
for each of
the 
Nokia's. I have two sets of documentation from checkpoint
and one does
not 
state anyhting about generating the node secret file for the
agent host 
while the other one does. Which is correct?

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================


 		
---------------------------------
How low will we go? Check out Yahoo! Messenger’s low 
PC-to-Phone call rates.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hi,

just wanted to tell you the solution for my problem: install
HFA_03
Now i know the meaning of "increased stability with
ldap" what is 
mentioned in the release notes of HFA_03
increased stability = its working now

Best regards,
Alex

=================================================
Hi,

we want to authenticate our SecureClient users via Active
Directory and 
LDAP integration.
We have multiple Active Directory (AD) servers in different
countries.
We configured them the same way but we experience different
behavior.

SecureClient works when we logon with a user of AD1.
But when we try to connect with a user of AD2 we get the
error message 
"gateway not responding".
Smartview Tracker shows no drop/alerts or anything else.
When we use a 
wrong password then we get an error message that user or
password is wrong.
We captured packets between the enforcement module and the
ldap server 
and they look the same on the working and the nonworking AD.
First we 
see the search query and after that a bind request with the
user 
credentials that succeeds.
Furthermore when we create a client auth rule theres no
problem to 
authenticate a user of the 2 AD server. So i´m pretty sure
that LDAP is 
configured correctly.
When we look at SecureClient Diagnostics we can see after
Phase 1 
Details (Main Mode completes) - XAuth: "Sending user
authentication to
VPN-1 Gateway" and after that
"VPN-1 Gateway did not response to IKE
key-exchange"

Gateway: Nokia IPSO 4.0 VRRP Cluster running NGX-R60-HFA02
SecureClient: NGX-R60-HFA1

Has anyone an idea where to look at ?

thanks in advance
Alex

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

I am now recieving the message ACEAGENT: The message entry
does not exist 
for Message ID: 1008. The solution is to modify the
table.def file so the 
communication on port 5500 between the fw interface and the
ACE server is 
not hide natted behind the VIP. The rediculous thing is that
I have to 
remember to add the entry every time I apply a hotfix to the
management 
server. I'll see if it works.


>From: cisco4ng <cisco4ngYAHOO.COM>
>Reply-To: Mailing list for discussion of Firewall-1     
        
><FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
>To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
>Subject: Re: [FW-1] SecurID Config
>Date: Wed, 28 Jun 2006 19:27:40 -0700
>
>Hi,
>   The problem with Radius to proxy the auth requesto
RSA is that you need 
>a
>   Radius server to do this.  Furthermore, RSA ACE
Server also comes with
>   native radius so you don't really need to another
radius box for proxy.
>
>   The problem with this solution is that radius is
supported for P-1 
>authentication
>   in NGx R60 or higher.  It is NOT supported for NG
with AI or lower.
>
>   My 2c.
>
>"Larson, Todd (LNG-DAY)" <Todd.LarsonLEXISNEXIS.COM> wrote:
>   Have you thought about using Radius to proxy the auth
request to RSA,
>it's much easier.
>
>
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Erin
>Young
>Sent: Wednesday, June 28, 2006 11:59 AM
>To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
>Subject: Re: [FW-1] SecurID Config
>
>I've tried the method using the vip defined in the
agent host and no
>luck,
>so i am know going to the next method, a seperate agent
host for each of
>the
>Nokia's. I have two sets of documentation from
checkpoint and one does
>not
>state anyhting about generating the node secret file for
the agent host
>while the other one does. Which is correct?
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERVamadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================
>
>
>
>---------------------------------
>How low will we go? Check out Yahoo! Messenger’s low 
PC-to-Phone call 
>rates.
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERVamadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================

____________________________________________________________
_____
Is your PC infected? Get a FREE online computer virus scan
from McAfee® 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=
3963

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Before I do the below - is Native mode or Radius mode easier
to impliment? 
Right now I am trying Native mode.


>From: Erin Young <y_erinHOTMAIL.COM>
>Reply-To: Mailing list for discussion of Firewall-1     
        
><FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
>To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
>Subject: Re: [FW-1] SecurID Config
>Date: Thu, 29 Jun 2006 11:44:46 +0000
>
>I am now recieving the message ACEAGENT: The message
entry does not exist 
>for Message ID: 1008. The solution is to modify the
table.def file so the 
>communication on port 5500 between the fw interface and
the ACE server is 
>not hide natted behind the VIP. The rediculous thing is
that I have to 
>remember to add the entry every time I apply a hotfix to
the management 
>server. I'll see if it works.
>
>
>>From: cisco4ng <cisco4ngYAHOO.COM>
>>Reply-To: Mailing list for discussion of Firewall-1 
            
>><FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
>>To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
>>Subject: Re: [FW-1] SecurID Config
>>Date: Wed, 28 Jun 2006 19:27:40 -0700
>>
>>Hi,
>>   The problem with Radius to proxy the auth
requesto RSA is that you need 
>>a
>>   Radius server to do this.  Furthermore, RSA ACE
Server also comes with
>>   native radius so you don't really need to
another radius box for proxy.
>>
>>   The problem with this solution is that radius is
supported for P-1 
>>authentication
>>   in NGx R60 or higher.  It is NOT supported for NG
with AI or lower.
>>
>>   My 2c.
>>
>>"Larson, Todd (LNG-DAY)"
<Todd.LarsonLEXISNEXIS.COM> wrote:
>>   Have you thought about using Radius to proxy the
auth request to RSA,
>>it's much easier.
>>
>>
>>-----Original Message-----
>>From: Mailing list for discussion of Firewall-1
>>[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Erin
>>Young
>>Sent: Wednesday, June 28, 2006 11:59 AM
>>To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
>>Subject: Re: [FW-1] SecurID Config
>>
>>I've tried the method using the vip defined in the
agent host and no
>>luck,
>>so i am know going to the next method, a seperate
agent host for each of
>>the
>>Nokia's. I have two sets of documentation from
checkpoint and one does
>>not
>>state anyhting about generating the node secret file
for the agent host
>>while the other one does. Which is correct?
>>
>>=================================================
>>To set vacation, Out-Of-Office, or away messages,
>>send an email to LISTSERVamadeus.us.checkpoint.com
>>in the BODY of the email add:
>>set fw-1-mailinglist nomail
>>=================================================
>>To unsubscribe from this mailing list,
>>please see the instructions at
>>http:
//www.checkpoint.com/services/mailing.html
>>=================================================
>>If you have any questions on how to change your
>>subscription options, email
>>fw-1-ownerts.checkpoint.com
>>=================================================
>>
>>
>>
>>---------------------------------
>>How low will we go? Check out Yahoo! Messenger’s low
 PC-to-Phone call 
>>rates.
>>
>>=================================================
>>To set vacation, Out-Of-Office, or away messages,
>>send an email to LISTSERVamadeus.us.checkpoint.com
>>in the BODY of the email add:
>>set fw-1-mailinglist nomail
>>=================================================
>>To unsubscribe from this mailing list,
>>please see the instructions at
>>http:
//www.checkpoint.com/services/mailing.html
>>=================================================
>>If you have any questions on how to change your
>>subscription options, email
>>fw-1-ownerts.checkpoint.com
>>=================================================
>
>________________________________________________________
_________
>Is your PC infected? Get a FREE online computer virus
scan from McAfee® 
>Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=
3963
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERVamadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================

____________________________________________________________
_____
Express yourself instantly with MSN Messenger! Download
today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471
ave/direct/01/

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================