CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: User Auth working as Session Auth

  1. #1
    Join Date
    2006-07-31
    Posts
    9
    Rep Power
    0

    Default User Auth working as Session Auth

    Hello,

    I just helped a customer to configure User Authentication for HTTP for a small group of users that reside on a DMZ. We created the users (with CP password authentication), the group of users and the rule on which that group (restricted to the DMZ network) is the source, the destination is any, the service is HTTP and the action has User Authentication, on which we selected the option "HTTP: All servers" in opposition of the default "predefined servers".

    When the users try to browse a web page, they get the authentication challenge and they get authenticated ok, but then every time they click on a new link, the challenge window comes up again and they have to authenticate one more time in order to continue. Seems like even when it is User Authentication, its behaving like Session Authentication.

    We checked the User Authentication Session Time out and it is on the default setting of 15 minutes both on Global Properties and the gateway object, which by the way is an active/standby HA pair.

    Everything is NGX R61 and runs over SPLAT.

    Has anyone seen this before? I don't seem to find an answer on the SK.

    Thanks in advance for the help.

    Regards
    Sergio Alvarez
    SEFISA Costa Rica

  2. #2
    Join Date
    2006-07-31
    Posts
    9
    Rep Power
    0

    Default Re: User Auth working as Session Auth

    Sorry, I just learned that in particular is the expected behavior when doing User Authentication with HTTP. I was under the impression that only Session Authentication would work like that.

    We switched to Client Auth and got the expected results.
    Sergio Alvarez
    SEFISA Costa Rica

  3. #3
    Join Date
    2005-08-11
    Location
    San Francisco, CA
    Posts
    1,395
    Rep Power
    15

    Default Re: User Auth working as Session Auth

    Quote Originally Posted by sergioaf View Post
    Hello,

    I just helped a customer to configure User Authentication for HTTP for a small group of users that reside on a DMZ. We created the users (with CP password authentication), the group of users and the rule on which that group (restricted to the DMZ network) is the source, the destination is any, the service is HTTP and the action has User Authentication, on which we selected the option "HTTP: All servers" in opposition of the default "predefined servers".

    When the users try to browse a web page, they get the authentication challenge and they get authenticated ok, but then every time they click on a new link, the challenge window comes up again and they have to authenticate one more time in order to continue. Seems like even when it is User Authentication, its behaving like Session Authentication.

    We checked the User Authentication Session Time out and it is on the default setting of 15 minutes both on Global Properties and the gateway object, which by the way is an active/standby HA pair.

    Everything is NGX R61 and runs over SPLAT.

    Has anyone seen this before? I don't seem to find an answer on the SK.

    Thanks in advance for the help.

    Regards
    User Authentication demands authentication for every single new TCP connection. Your browser will cache these credentials and silently provide them for you if you open another connection to the same server. If you close your browser, or time out, or go to a new web server, you must authenticate again.

    This is why User Authentication is described as "Secure but intrusive". In real life, it's way too much of a pain to use for HTTP.
    Barry J. Stiefel ("Stee-ful" or "Shtee-ful")
    B.S., MBA, CCSA/CCSE/CCSE+/CCSI
    Resilience RCSE/RCSI, Fortinet FCSE
    CISSP, MCSE, NSA ISM
    Founder of CPUG
    Founder of CPUG University

Similar Threads

  1. Number of auth. attempts with Client Auth
    By netgeo in forum Authentication
    Replies: 1
    Last Post: 2008-12-04, 18:04
  2. Session Auth - SecureID Backend
    By gparedes in forum Authentication
    Replies: 2
    Last Post: 2006-11-01, 03:57
  3. User auth and owa
    By emreb in forum Authentication
    Replies: 2
    Last Post: 2006-05-25, 03:24
  4. Replies: 0
    Last Post: 2005-08-14, 11:58
  5. Session Auth and Content Filtering
    By roadrunner in forum Authentication
    Replies: 0
    Last Post: 2005-08-13, 15:49

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •