SecurID netscreen problem
|
View:
New views
7 Messages
—
Rating Filter:
Alert me
|
 |
SecurID netscreen problem
by sunnyday-2
::
Rate this Message:
Some parts of this message have been removed.
Learn more about Nabble's security policy.
I have set up a vpn to authenticate to an external SecureID server
the authentication requests reach the server and authentication is successful as
I can see through the logs of the SecureID server But my problem is that the dialup vpn client is unable to
get an ip address. How it possible to give the vpn client an ip address? Thank you _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: [j-nsp] SecurID netscreen problem
by Stefan Fouant
::
Rate this Message:
If I recall correctly, you are using Xauth. As I mentioned in a
previous post, ScreenOS does not support the assignment of remote settings such as IP addresses using Xauth. In most cases you do not need to assign an address to the tunnel in order to get the tunnel operational, but if this is a requirement for your network you'll need to switch from that ShrewSoft client to something else that supports AUTH authentication. HTHs. On 7/21/08, sunnyday <cscosunny@...> wrote: > I have set up a vpn to authenticate to an external SecureID server the > authentication requests reach the server and authentication is successful as > I can see through the logs of the SecureID server > > But my problem is that the dialup vpn client is unable to get an ip address. > How it possible to give the vpn client an ip address? > > Thank you > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@... > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Sent from Gmail for mobile | mobile.google.com Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: [j-nsp] SecurID netscreen problem
by Maarten van der Hoek
::
Rate this Message:
Hi,
You can also use Microsoft IAS! Make sure domain is at least Windows 2003 Native, and you can specify ip's for every user in his Active Directory object (Dial-In) Brgds, Maarten -----Oorspronkelijk bericht----- Van: nn-bounces@... [mailto:nn-bounces@...] Namens Stefan Fouant Verzonden: maandag 21 juli 2008 16:11 Aan: sunnyday; Juniper-Nsp; nn@... Onderwerp: Re: [nn] [j-nsp] SecurID netscreen problem If I recall correctly, you are using Xauth. As I mentioned in a previous post, ScreenOS does not support the assignment of remote settings such as IP addresses using Xauth. In most cases you do not need to assign an address to the tunnel in order to get the tunnel operational, but if this is a requirement for your network you'll need to switch from that ShrewSoft client to something else that supports AUTH authentication. HTHs. On 7/21/08, sunnyday <cscosunny@...> wrote: > I have set up a vpn to authenticate to an external SecureID server the > authentication requests reach the server and authentication is successful as > I can see through the logs of the SecureID server > > But my problem is that the dialup vpn client is unable to get an ip address. > How it possible to give the vpn client an ip address? > > Thank you > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@... > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Sent from Gmail for mobile | mobile.google.com Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: [j-nsp] SecurID netscreen problem
by sunnyday-2
::
Rate this Message:
Ok sorry
Any client in mind that supports auth? > And how can I make the vpn work without ip address assigned to the > dialup user? > I have only managed to get it to work with ip.i also used netscreen > remote as well besides shrewsoft. -----Original Message----- From: Stefan Fouant [mailto:sfouant@...] Sent: Monday, July 21, 2008 5:11 PM To: sunnyday; Juniper-Nsp; nn@... Subject: Re: [j-nsp] SecurID netscreen problem If I recall correctly, you are using Xauth. As I mentioned in a previous post, ScreenOS does not support the assignment of remote settings such as IP addresses using Xauth. In most cases you do not need to assign an address to the tunnel in order to get the tunnel operational, but if this is a requirement for your network you'll need to switch from that ShrewSoft client to something else that supports AUTH authentication. HTHs. On 7/21/08, sunnyday <cscosunny@...> wrote: > I have set up a vpn to authenticate to an external SecureID server the > authentication requests reach the server and authentication is successful as > I can see through the logs of the SecureID server > > But my problem is that the dialup vpn client is unable to get an ip address. > How it possible to give the vpn client an ip address? > > Thank you > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@... > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Sent from Gmail for mobile | mobile.google.com Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: [j-nsp] SecurID netscreen problem
by Stefan Fouant
::
Rate this Message:
The tunnel can be treated as as an point-to-point IP unnumbered
interface for purposes of forwarding traffic, so normally there is no need for IP address assignments on the tunnel itself. IP addressing is normally only used "inside" the tunnel if you wanted to ping the remote end of the tunnel itself or perhaps layer another tunneling technology on top of the underlying IPsec tunnel, thereby specifying the local and remote tunnel IPs as the source and destination addresses for the secondary tunnel. If you can use Netscreen Remote Client as opposed to the ShrewSoft client, you'll have more flexibility as the Netscreen Remote Client will allow you to use AUTH authentication and therefore assign remote settings. On Mon, Jul 21, 2008 at 11:51 AM, sunnyday <cscosunny@...> wrote: > Ok sorry > > Any client in mind that supports auth? >> And how can I make the vpn work without ip address assigned to the >> dialup user? >> I have only managed to get it to work with ip.i also used netscreen >> remote as well besides shrewsoft. > > -----Original Message----- > From: Stefan Fouant [mailto:sfouant@...] > Sent: Monday, July 21, 2008 5:11 PM > To: sunnyday; Juniper-Nsp; nn@... > Subject: Re: [j-nsp] SecurID netscreen problem > > If I recall correctly, you are using Xauth. As I mentioned in a > previous post, ScreenOS does not support the assignment of remote > settings such as IP addresses using Xauth. In most cases you do not > need to assign an address to the tunnel in order to get the tunnel > operational, but if this is a requirement for your network you'll need > to switch from that ShrewSoft client to something else that supports > AUTH authentication. > > HTHs. > > > > On 7/21/08, sunnyday <cscosunny@...> wrote: >> I have set up a vpn to authenticate to an external SecureID server the >> authentication requests reach the server and authentication is successful > as >> I can see through the logs of the SecureID server >> >> But my problem is that the dialup vpn client is unable to get an ip > address. >> How it possible to give the vpn client an ip address? >> >> Thank you >> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@... >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > -- > Sent from Gmail for mobile | mobile.google.com > > Stefan Fouant > Principal Network Engineer > NeuStar, Inc. - http://www.neustar.biz > GPG Key ID: 0xB5E3803D > > -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: [j-nsp] SecurID netscreen problem
by sunnyday-2
::
Rate this Message:
I don't use tunnel interface just configured the vpn through the Autokey
Advanced ----> Gateway and Autokey Ike and then a bidirectional policy from Dial-Up VPN to any Action=Tunnel And that's it.After that the user is configured locally. And that thing that you said with netscreen remote how can you do AUTH Authentication? I have only see preshared key and preshared key with Xauth. -----Original Message----- From: Stefan Fouant [mailto:sfouant@...] Sent: Monday, July 21, 2008 8:03 PM To: sunnyday Cc: Juniper-Nsp; nn@... Subject: Re: [j-nsp] SecurID netscreen problem The tunnel can be treated as as an point-to-point IP unnumbered interface for purposes of forwarding traffic, so normally there is no need for IP address assignments on the tunnel itself. IP addressing is normally only used "inside" the tunnel if you wanted to ping the remote end of the tunnel itself or perhaps layer another tunneling technology on top of the underlying IPsec tunnel, thereby specifying the local and remote tunnel IPs as the source and destination addresses for the secondary tunnel. If you can use Netscreen Remote Client as opposed to the ShrewSoft client, you'll have more flexibility as the Netscreen Remote Client will allow you to use AUTH authentication and therefore assign remote settings. On Mon, Jul 21, 2008 at 11:51 AM, sunnyday <cscosunny@...> wrote: > Ok sorry > > Any client in mind that supports auth? >> And how can I make the vpn work without ip address assigned to the >> dialup user? >> I have only managed to get it to work with ip.i also used netscreen >> remote as well besides shrewsoft. > > -----Original Message----- > From: Stefan Fouant [mailto:sfouant@...] > Sent: Monday, July 21, 2008 5:11 PM > To: sunnyday; Juniper-Nsp; nn@... > Subject: Re: [j-nsp] SecurID netscreen problem > > If I recall correctly, you are using Xauth. As I mentioned in a > previous post, ScreenOS does not support the assignment of remote > settings such as IP addresses using Xauth. In most cases you do not > need to assign an address to the tunnel in order to get the tunnel > operational, but if this is a requirement for your network you'll need > to switch from that ShrewSoft client to something else that supports > AUTH authentication. > > HTHs. > > > > On 7/21/08, sunnyday <cscosunny@...> wrote: >> I have set up a vpn to authenticate to an external SecureID server the >> authentication requests reach the server and authentication is successful > as >> I can see through the logs of the SecureID server >> >> But my problem is that the dialup vpn client is unable to get an ip > address. >> How it possible to give the vpn client an ip address? >> >> Thank you >> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@... >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > -- > Sent from Gmail for mobile | mobile.google.com > > Stefan Fouant > Principal Network Engineer > NeuStar, Inc. - http://www.neustar.biz > GPG Key ID: 0xB5E3803D > > -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: [j-nsp] SecurID netscreen problem
by sunnyday-2
::
Rate this Message:
Ok I managed to got it working thanks for your help Stefan.
-----Original Message----- From: Stefan Fouant [mailto:sfouant@...] Sent: Monday, July 21, 2008 8:03 PM To: sunnyday Cc: Juniper-Nsp; nn@... Subject: Re: [j-nsp] SecurID netscreen problem The tunnel can be treated as as an point-to-point IP unnumbered interface for purposes of forwarding traffic, so normally there is no need for IP address assignments on the tunnel itself. IP addressing is normally only used "inside" the tunnel if you wanted to ping the remote end of the tunnel itself or perhaps layer another tunneling technology on top of the underlying IPsec tunnel, thereby specifying the local and remote tunnel IPs as the source and destination addresses for the secondary tunnel. If you can use Netscreen Remote Client as opposed to the ShrewSoft client, you'll have more flexibility as the Netscreen Remote Client will allow you to use AUTH authentication and therefore assign remote settings. On Mon, Jul 21, 2008 at 11:51 AM, sunnyday <cscosunny@...> wrote: > Ok sorry > > Any client in mind that supports auth? >> And how can I make the vpn work without ip address assigned to the >> dialup user? >> I have only managed to get it to work with ip.i also used netscreen >> remote as well besides shrewsoft. > > -----Original Message----- > From: Stefan Fouant [mailto:sfouant@...] > Sent: Monday, July 21, 2008 5:11 PM > To: sunnyday; Juniper-Nsp; nn@... > Subject: Re: [j-nsp] SecurID netscreen problem > > If I recall correctly, you are using Xauth. As I mentioned in a > previous post, ScreenOS does not support the assignment of remote > settings such as IP addresses using Xauth. In most cases you do not > need to assign an address to the tunnel in order to get the tunnel > operational, but if this is a requirement for your network you'll need > to switch from that ShrewSoft client to something else that supports > AUTH authentication. > > HTHs. > > > > On 7/21/08, sunnyday <cscosunny@...> wrote: >> I have set up a vpn to authenticate to an external SecureID server the >> authentication requests reach the server and authentication is successful > as >> I can see through the logs of the SecureID server >> >> But my problem is that the dialup vpn client is unable to get an ip > address. >> How it possible to give the vpn client an ip address? >> >> Thank you >> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@... >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > -- > Sent from Gmail for mobile | mobile.google.com > > Stefan Fouant > Principal Network Engineer > NeuStar, Inc. - http://www.neustar.biz > GPG Key ID: 0xB5E3803D > > -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
| Free Forum Powered by Nabble | Forum Help |