04-12-2010 12:59 PM
We have the following situation
We have a website that we want to secure with an external authentication party ( Cryptocard MAS protal)
I tried to create an auth server and joined this with a policy and thought this would work , but no luck
The people at Cryptocard have also no idea how to set up our SSg5
Does anyone have any experience with external radius authentication on an SSG5
04-18-2010 11:17 AM - edited 04-18-2010 02:01 PM
If I understand your scenario correctly, there is no authentication server or setup needed at all in the SSG for your web server.
You are protecting a web site. The process will work like this:
- when the page load comes to the Microsoft IIS server
- IIS needs to be configured to forward that request over to Crypto-MAS
- Once authenticated, Crypto-MAS returns the session to IIS as authorized
On the SSG firewall you need these configurations setup:
- you will forward web traffic to the Microsoft IIS server normally
- You will need firwall rules to allow outbound connections from the IIS server to Crypto-MAS. These will be covered if you have a normal allow all from the IIS server zone to the internet untrust setup that allows web access from that server
- You will need a firewall rule from the Crypto-MAS server IPs to the IIS server for whatever ports they use in the communcations. It looks like they use RADIUS so the port would be 1645 & 1646 but you will need their documenation on the IIS setup to confirm where the communcations occur.
The authentication server setup on the SSG is only needed if you are using Crypto-MAS as the authentication for your administrative access to the SSG instead of the build in login database.
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCDA JNCDS-DC JNCDS-SEC
ACE PanOS 6