(I previously posted this, but it appeared to have bounced for some reason, apologies if you get this twice) I have searched all the FAQ's and docs (checkpoint pdfs etc) and from what I can tell it looks like I am screwed. What I want to do is use my CiscoSecure TACACS server to handle authentication for a variety of flows thru my fw1. I have all the evil OS/Password features of the fw1 removed, so I am using the remote database/nt domain integration feature of CiscoSecure to handle my domain authentication. I would like to use the FW1 Session Authentication Agent on internal hosts and have the users input their domain login credentials and have the FW-1 pass this info along to my TACACS server where they are verified. The problem is that I cannot seem to get the Agent to accept any usernames other than those IMPLICITLY defined in my FW1 objects. (manage->users) If I have a user "JoeBlow" defined in manage->users, the fw1 will then query my TACACS server and I see logs that JoeBlow logged in, or had invalid password etc etc. If I then login with "JaneDoe" (a user that exists in my NT DOMAIN), the session authentication agent immediately barks back "Invalid User" and looking at my TACACS server, it never even passed thru the authentication request. I know my TACACS server is working fine (its working for a variety of stuff already) and I know that it queries my domain controller correctly. Is there some magic to setting up a user in the manage->users dialog for it to match Anyone? I would think if you selected "All users@any" as your source in your session auth rule, that it would allow any username to be passed to the the authentication server. Instead, it looks like it looks for users defined in FW1 and then attempts to contact the authentication server to check their password validity.. During certification I seem to remember being told that this was a limitation of FW1 and that you had to use LDAP and the UAM if you wanted to get around it, but I was hoping this was not the case. Can anyone here confirm my assumptions? I was really hoping to just have some of the NT admins simply put people into a group membership to give them access to particular session auth rules without requiring me to do any extra work on the firewall. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
