Re: Provider-1 NGx R65 w/ HFA_02 and RSA SecurID 6.1 authentication UPDATE

Email lists > CheckPoint Firewall-1 discussion

Thread: Re: Provider-1 NGx R65 w/ HFA_02 and RSA SecurID 6.1 authentication UPDATE

Search this list only Search all lists
Re: Provider-1 NGx R65 w/ HFA_02 and RSA SecurID 6.1 authentication UPDATE
United States	2007-11-06 06:20:22
Here is what I did last night to make it work: 1) Backup All of my CMAs on the P-1 R65 systems. Thanks god I only have 3 CMAs on there, 2) performed "mds_remove" and reboot, 3) run mds_setup again, 4) perform RSA authentication setup (i.e. get sdconf.rec from RSA Server), 5) test RSA authentication and IT WORKS!!!!! 6) upgrade to hfa_01 and reboot. It still WORKS after that!!!! 7) upgrade to hfa_02 and reboot. It still WORKS after that!!!! 8) create CMAs and performed CMA migration... 9) login into CMA and MDG with RSA securID account. It still WORKS. ----- Here is how I broke it: install a clean P-1 R65 on linux, apply hfa_01 and reboot, apply hfa-02 and reboot, configure P-1 for RSA authentication, test RSA authentication, FAILED!!!!!! Obviously, the P-1 software is very unstable in term of RSA authentication. Reinhard Stich <r.stichINTERNET-SECURITY.AT> wrote: hi, the hfa-01 fix works also with hfa02 here. br reinhard At 14:13 05.11.2007, you wrote: >I had this issue too. CP supplied a hotfix for hfa-01 for splat, it >worked for me. This was not incorporated in hfa-02. They did not have >the hotfix for hfa-02 so instead of trying to get one built for hfa-02 >I've decided to wait and see what hfa-03 will bring, bypassing hfa-02. > >-GS > >-----Original Message----- >From: Mailing list for discussion of Firewall-1 >[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM] On Behalf Of >Reinhard Stich >Sent: Monday, November 05, 2007 7:50 AM >To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM >Subject: Re: [FW-1] Provider-1 NGx R65 w/ HFA_02 and RSA SecurID 6.1 >authentication > >hi, > >I had the issue described in sk33663: >FWM hangs/consumes high CPU resources when using TACACS or RADIUS in >Provider-1 R65 > >br >reinhard > > >At 13:39 05.11.2007, you wrote: > >I have to implement RSA SecurID for Provider-1 > >authentication NGx R65 with HFA_02 running on > >Linux ES 3. This is our brand new production > >system > > > >RSA SecurID is version 6.1 running on Linux. RSA > >SecurID server ip address is 192.168.0.1/22. > >Provider-1 IP address is 192.168.2.1/22. In other > >words, they are on the same network, NO firewalls > >in between. > > > >I create an agent host on the RSA for the P-1 > >host with a sdconf.rec file. I then dump that file > >into the /var/ace directory on the P-1 NGx R65 box. > >I then performed "mdsstop;mdsstart". After that, > >I created a user called "test1" and specified > >"SecurID" as the authentication method. The > >user "test1" also exists on the RSA server. > >However, I can not log into the P-1 box with the > >"test1" account. RSA log says this: > > > >test1/mds-NGx_r65, access denied, bad user password > > > > > >We have an identical existing Provider-1 NG > >with Application Intelligence R55 with HFA_20 > >on the same network 192.168.1.1/22 and "test1" > >works fine with RSA SecurID. > > > >Anyone having issues with Provider-1 NGx R65 > >with HFA_02 and RSA SecurID authentication? > > > >Thanks. > > > > > > > > > > > > __________________________________________________ > >Do You Yahoo!? > >Tired of spam? Yahoo! Mail has the best spam protection around > >http://mail.yahoo.com > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to LISTSERVamadeus.us.checkpoint.com > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http: //www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >fw-1-ownerts.checkpoint.com > >================================================= > >-- >Reinhard Stich r.stichinternet-security.at >Internet Security AG, 1150 Wien, Johnstrasse 29 >Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to LISTSERVamadeus.us.checkpoint.com >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http: //www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >fw-1-ownerts.checkpoint.com >================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to LISTSERVamadeus.us.checkpoint.com >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http: //www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >fw-1-ownerts.checkpoint.com >================================================= -- Reinhard Stich r.stichinternet-security.at Internet Security AG, 1150 Wien, Johnstrasse 29 Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com ================================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com =================================================

[1]

about | contact Other archives ( Real Estate discussion Medical topics )

Mailing lists