Provider-1 NGx R65 w/ HFA_02 and RSA SecurID 6.1 authentication

I have to implement RSA SecurID for Provider-1 
authentication NGx R65 with HFA_02 running on 
Linux ES 3.  This is our brand new production
system

RSA SecurID is version 6.1 running on Linux.  RSA
SecurID server ip address is 192.168.0.1/22.
Provider-1 IP address is 192.168.2.1/22.  In other
words, they are on the same network, NO firewalls
in between.

I create an agent host on the RSA for the P-1
host with a sdconf.rec file.  I then dump that file
into the /var/ace directory on the P-1 NGx R65 box.
I then performed "mdsstop;mdsstart".  After that,
I created a user called "test1" and specified
"SecurID" as the authentication method.  The
user "test1" also exists on the RSA server.
However, I can not log into the P-1 box with the
"test1" account.  RSA log says this:

test1/mds-NGx_r65, access denied, bad user password


We have an identical existing Provider-1 NG
with Application Intelligence R55 with HFA_20
on the same network 192.168.1.1/22 and "test1"
works fine with RSA SecurID.

Anyone having issues with Provider-1 NGx R65
with HFA_02 and RSA SecurID authentication?

Thanks.





 __________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection
around 
http://mail.yahoo.com 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

hi,

I had the issue described in sk33663:
FWM hangs/consumes high CPU resources when using TACACS or
RADIUS in 
Provider-1 R65

br
reinhard


At 13:39 05.11.2007, you wrote:
>I have to implement RSA SecurID for Provider-1
>authentication NGx R65 with HFA_02 running on
>Linux ES 3.  This is our brand new production
>system
>
>RSA SecurID is version 6.1 running on Linux.  RSA
>SecurID server ip address is 192.168.0.1/22.
>Provider-1 IP address is 192.168.2.1/22.  In other
>words, they are on the same network, NO firewalls
>in between.
>
>I create an agent host on the RSA for the P-1
>host with a sdconf.rec file.  I then dump that file
>into the /var/ace directory on the P-1 NGx R65 box.
>I then performed "mdsstop;mdsstart".  After
that,
>I created a user called "test1" and specified
>"SecurID" as the authentication method.  The
>user "test1" also exists on the RSA server.
>However, I can not log into the P-1 box with the
>"test1" account.  RSA log says this:
>
>test1/mds-NGx_r65, access denied, bad user password
>
>
>We have an identical existing Provider-1 NG
>with Application Intelligence R55 with HFA_20
>on the same network 192.168.1.1/22 and
"test1"
>works fine with RSA SecurID.
>
>Anyone having issues with Provider-1 NGx R65
>with HFA_02 and RSA SecurID authentication?
>
>Thanks.
>
>
>
>
>
>  __________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection
around
>http://mail.yahoo.com
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERVamadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================

-- 
Reinhard Stich          r.stichinternet-security.at
Internet Security AG,      1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

I had this issue too. CP supplied a hotfix for hfa-01 for
splat, it
worked for me. This was not incorporated in hfa-02. They did
not have
the hotfix for hfa-02 so instead of trying to get one built
for hfa-02
I've decided to wait and see what hfa-03 will bring,
bypassing hfa-02.

-GS

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of
Reinhard Stich
Sent: Monday, November 05, 2007 7:50 AM
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Provider-1 NGx R65 w/ HFA_02 and RSA
SecurID 6.1
authentication

hi,

I had the issue described in sk33663:
FWM hangs/consumes high CPU resources when using TACACS or
RADIUS in 
Provider-1 R65

br
reinhard


At 13:39 05.11.2007, you wrote:
>I have to implement RSA SecurID for Provider-1
>authentication NGx R65 with HFA_02 running on
>Linux ES 3.  This is our brand new production
>system
>
>RSA SecurID is version 6.1 running on Linux.  RSA
>SecurID server ip address is 192.168.0.1/22.
>Provider-1 IP address is 192.168.2.1/22.  In other
>words, they are on the same network, NO firewalls
>in between.
>
>I create an agent host on the RSA for the P-1
>host with a sdconf.rec file.  I then dump that file
>into the /var/ace directory on the P-1 NGx R65 box.
>I then performed "mdsstop;mdsstart".  After
that,
>I created a user called "test1" and specified
>"SecurID" as the authentication method.  The
>user "test1" also exists on the RSA server.
>However, I can not log into the P-1 box with the
>"test1" account.  RSA log says this:
>
>test1/mds-NGx_r65, access denied, bad user password
>
>
>We have an identical existing Provider-1 NG
>with Application Intelligence R55 with HFA_20
>on the same network 192.168.1.1/22 and
"test1"
>works fine with RSA SecurID.
>
>Anyone having issues with Provider-1 NGx R65
>with HFA_02 and RSA SecurID authentication?
>
>Thanks.
>
>
>
>
>
>  __________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection
around
>http://mail.yahoo.com
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERVamadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================

-- 
Reinhard Stich          r.stichinternet-security.at
Internet Security AG,      1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

hi,

the hfa-01 fix works also with hfa02 here.

br
reinhard

At 14:13 05.11.2007, you wrote:
>I had this issue too. CP supplied a hotfix for hfa-01
for splat, it
>worked for me. This was not incorporated in hfa-02. They
did not have
>the hotfix for hfa-02 so instead of trying to get one
built for hfa-02
>I've decided to wait and see what hfa-03 will bring,
bypassing hfa-02.
>
>-GS
>
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of
>Reinhard Stich
>Sent: Monday, November 05, 2007 7:50 AM
>To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
>Subject: Re: [FW-1] Provider-1 NGx R65 w/ HFA_02 and RSA
SecurID 6.1
>authentication
>
>hi,
>
>I had the issue described in sk33663:
>FWM hangs/consumes high CPU resources when using TACACS
or RADIUS in
>Provider-1 R65
>
>br
>reinhard
>
>
>At 13:39 05.11.2007, you wrote:
> >I have to implement RSA SecurID for Provider-1
> >authentication NGx R65 with HFA_02 running on
> >Linux ES 3.  This is our brand new production
> >system
> >
> >RSA SecurID is version 6.1 running on Linux.  RSA
> >SecurID server ip address is 192.168.0.1/22.
> >Provider-1 IP address is 192.168.2.1/22.  In other
> >words, they are on the same network, NO firewalls
> >in between.
> >
> >I create an agent host on the RSA for the P-1
> >host with a sdconf.rec file.  I then dump that
file
> >into the /var/ace directory on the P-1 NGx R65
box.
> >I then performed "mdsstop;mdsstart". 
After that,
> >I created a user called "test1" and
specified
> >"SecurID" as the authentication method. 
The
> >user "test1" also exists on the RSA
server.
> >However, I can not log into the P-1 box with the
> >"test1" account.  RSA log says this:
> >
> >test1/mds-NGx_r65, access denied, bad user
password
> >
> >
> >We have an identical existing Provider-1 NG
> >with Application Intelligence R55 with HFA_20
> >on the same network 192.168.1.1/22 and
"test1"
> >works fine with RSA SecurID.
> >
> >Anyone having issues with Provider-1 NGx R65
> >with HFA_02 and RSA SecurID authentication?
> >
> >Thanks.
> >
> >
> >
> >
> >
> > 
__________________________________________________
> >Do You Yahoo!?
> >Tired of spam?  Yahoo! Mail has the best spam
protection around
> >http://mail.yahoo.com
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to LISTSERVamadeus.us.checkpoint.com
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http:
//www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >fw-1-ownerts.checkpoint.com
> >=================================================
>
>--
>Reinhard Stich          r.stichinternet-security.at
>Internet Security AG,      1150 Wien, Johnstrasse 29
>Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERVamadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERVamadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================

-- 
Reinhard Stich          r.stichinternet-security.at
Internet Security AG,      1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================