Administrators vs Users (SecureClient)

[ChrisA]

We're running R62. Can the same userid be used for admin access to the firewall and SecureClient VPN access through the firewall to the network?

Some of our help desk personnel need to SmartView Monitor to do component checks of the firewall, but they are also SecureClient VPN users. Currently they are defined as Users with SecurID authentication, and they are using a generic administrator ID with read-only access to do the component checks. I want to get rid of this generic admin acct and create an admin account for each person, and ideally, have them use TACACS or RADIUS for access to the firewall (although I guess, SecurID would be okay, if that was the only way). Their userid is tied to SecurID, Radius, AD, etc, so I don't want to have to use a different acct name for their admin access (like user=joe, adminuser=ad-joe). I know I can't have the same userid in Users and in Administrators, but if I delete their user accts, and just define them as admins and add them to the VPN user groups, would this work? If not, is there a way to do what I'm proposing? I hope my explanation is clear. Thanks for your help.

[melipla]

Yes, that works as you are proposing. You should be able to verify this with a test user.

[ChrisA]

Finally having a chance to test this issue. I have an Administrator id set up with SecurID authentication, added the id to the VPN group and installed the policy. When I try to log into SecureClient with this id I keep getting "Wrong User Name or Password" and the authentication never goes out to the SecurID server. It seems like SecureClient will not "look" in the Administrators for the id. Has anyone out there got this working?

Basically, we have a bunch of SecureClient VPN users who need to access the firewall to check logs, status, etc. I can't have the same userid as a User and an Administrator.

SecureClient users use SecurID authentication,
Administrators are currently logging on locally to the SmartCenter server with a shared account, which I want to get rid of. I want to somehow allow them to log into the firewall either with their Radius credentials or SecurID credentials. (The userids are the same both in SecurID and Radius.)

I tried setting up aliases in Radius so when onsite, admins use the alias <userid>-fw, but over VPN would use <userid>. This worked great but unfortunately broke another app that uses Radius auth and does not like aliases.

Deleting the userid from Users and just having it in Administrators does not let me authenticate over VPN. Two userids for each user in Radius would of course work but becomes an administrative nightmare.

Any help or ideas from someone who has "been there, done that" would be greatly appreciated. Thank you.

[melipla]

I see that you're treating Radius and SecurID accounts as two different things, which is slightly different than how I do it. My SecurID servers are defined as radius hosts and my VPN users and GUI Administrators are set to authenticate via Radius using my SecurID radius servers group.

[Thorpuse]

Have you created the sdconf.rec file and added the appropriate trust entries on your SecurID server?