1 2 Previous Next 10 Replies Latest reply on Jun 17, 2011 9:29 AM by PhilM

    Version 8 - Using Active Passport

    PhilM

      Despite working with Sidewinder in all it's forms since mid 2000, I have never come across an implementation where I've needed to implement the SSO serivce.

       

      A cusomer has approached us, currently running v7, and they use the Active Passport service (tied to the local user database) to provide a form of authenticated access for some inbound services.

       

      The have come to us to buy a new appliance, have us install version 8 on it and transpose their current configuration from old firewall to new. So I am currently trying to proof-of-concept this function on my v8 installation, before telling them that it is definitely possible to achieve.

       

      Unlike v7 there doesn't appear to be a default "Passport" rule in v8 and it also seems that this rule in v7 had a very specific application defense (which has also failed to make it's way over to v8). Reading through the v8 admin guide, there is no suggestion that I can see of the need to create a rule to enable active passport access. However, despite having enabled Active Passport mode and creating myself a local user to test it with, I am unable to solicit a response from https://<Firewall_IP>:8111 or http://<Firewall_IP>:8111

       

      Searching for "Active Passport" in the knowledge base doesn't bring up anything specific either.

       

      So, is there a particular method required to get the Active Passport service working in v8?

       

      If so, what's the secret?!

       

      -Phil.

        • 1. Re: Version 8 - Using Active Passport

          Hello Phil,

           

          Don't feel too bad, I also missed this when first dealing with passport in v8. You need to select a user on the rule under "Users and Groups" (if you do not want to restrict access to a user or group, select <Authenticated>). This will automatically cause the Passport service to start up. There is no more need to create a rule for Passport.

           

          I think a KB article might make sense for this

           

          Let me know if that works for you.

          -Matt

          • 2. Re: Version 8 - Using Active Passport
            PhilM

            >I think a KB article might make sense for this

             

            Either that or give the admin guide authors a kick up the backside!

             

            Yep - that seems to work. With the inbound rule in configured to use the "<None/Passport>" authenticator type and the source user and group section containing my chosen local user group, I was then able to access the Passport URL on the Firewall. Logging in, I was then able to access the service I had configured in the rule.

             

            As soon as I logged out and tried the service again, the connection was rejected.

             

            Thanks!

             

            -Phil

             

            I'd be interested to see what you think about the update I made to my Intrazone routing thread.

            • 3. Re: Version 8 - Using Active Passport
              PhilM

              Matt

               

              I've had to backtack on my decision to mark your answer as correct.

               

              The reason?

               

              When reviewing my v8 rules I realised I still had the rule in place which I had originally created believing it to be be necessary to gain access to the Passport web login page. So I removed it.

               

              All of a sudden all of my Passport access tests were failing - trying to access the URL resulting in a "page cannot be displayed"-type message. As soon as I re-enabled the rule I came back to life.

               

              So, that would seem to indicate that some form of rule for the Active Passport application is necessary.

              • 4. Re: Version 8 - Using Active Passport
                sliedl

                You do not need a rule for Active Passport.  In fact, if you create a rule, it may prevent the service from starting up on port 8111 when  you check 'Authenticated' in a rule.

                 

                On pg. 90 of the 8.1.1 Admin Guide it says this (this is the Active Passport configuration section):

                3 Create an access control rule and include the following selections:

                • Authenticator - <None/Passport>

                 

                • Users and Groups - <Authenticated> or specific users and groups

                 

                That is the only indication you must check <Authenticated> in the rule in order for the Passport service to start.  Yes, that is not helpful nor explanatory, but it is what it is.

                 

                I don't have any rules with <Authenticated> checked so when I look at what is listening on port 8111 I don't get anything back on the command-line:

                mfev8:Admn {1} % lsof -nPi :8111

                mfev8:Admn {2} %

                 

                If I go and check <Authenticated> in my HTTP rule where I have <None/Passport> selected in the 'Authenticator' drop-down I then see that the service is now listening on port 8111:

                mfev8:Admn {3} % lsof -nPi :8111

                COMMAND  PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME

                nss     1445 root   14u  IPv4 0xb48b13d8      0t0  TCP *:8111 (LISTEN)

                mfev8:Admn {4} % sockstat -4lp 8111

                USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS

                root     nss        1445  14 tcp4   *:8111                *:*

                mfev8:Admn {5} % netstat -an | grep LISTEN| grep .8111

                tcp4       0      0  2 *.8111                 *.*                    LISTEN

                 

                If the service is listening and it's not working then something else is going on.  You may have to add the firewall's IP/hostname to your 'Trusted Sites' in IE, you may need to set your proxy settings in the browser to ignore the IP of the firewall (i.e. to NOT proxy connections TO the firewall itself), or you may need to allow META REFRESH in the IE settings.  These things are covered in the NTLM setup guide in the KB, PD21455.  Of course, you do not need to be using NTLM to use the Passport feature of the firewall (you can use any authenticator you'd like), but some of those settings may be applicable to your setup.

                • 5. Re: Version 8 - Using Active Passport
                  PhilM

                  Sam - many thanks for your detailed reponse.

                   

                  If I only have my RDP rule in place - with the Source User/Group entry containing my configured Firewall user group and Authenticator set to <None/Passport> and I then run either the lsof -nPi :8111, sockstat -4lp 8111 or netstat -an | grep LISTEN| grep .8111 commands, I get precisely zip back in response from any of them.

                   

                  Here's the rule:-

                   

                  SSO-RDP Rule.jpg

                  In your explanation you said "That is the only indication you must check <Authenticated> in the rule in order for the Passport service to start.  Yes, that is not helpful nor explanatory, but it is what it is.".

                   

                  However, if I try to do that and save the rule it comes back with the error "<Authenticated> cannot be used in conjunction with other users or usergroups". Because, ultimately, the rule is designed to only be available to users in a particular group - not all users, just as long as they have authenticated - I must make reference to the group in question.

                   

                  So, if I remove <Authenticated> from my rule, but then enable the "Passport" rule I had created when trying to mimic the v7 set-up, and then re-run the commands you spoke of previously, only then do I get something back in response.

                   

                  sw8:Admn {4} % lsof -nPi :8111

                  COMMAND  PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME

                  nss     1765 root   11u  IPv4 0xb411f1ec      0t0  TCP *:8111 (LISTEN)

                  sw8:Admn {8} % sockstat -4lp 8111

                  USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS

                  root     nss        1765  11 tcp4   *:8111                *:*

                  sw8:Admn {9} % netstat -an | grep LISTEN | grep .8111

                  tcp4       0      0  1 *.8111                 *.*                    LISTEN

                   

                  In addition to which, I can then access and authenticate myself to the Passport service.

                   

                   


                  • 6. Re: Version 8 - Using Active Passport

                    Hello Phil,

                     

                    Just to clarify so you understand, when you have a user or group specified under "Users and Groups", you do not need to specify "<Authenticated>". "<Authenticated>" should only be used when you are authenticating, but do not want to lock it down to a user or group.

                     

                    As far as having to use a Passport rule, I am still very confused. When I select "<Authenticated>" on an HTTP rule, Passport automatically starts up. I can verify this by running the following commands:

                     

                    "cf pol showtable"-

                    Rule Match ID 1 AF_INET - (ENABLED)

                    redir_port=8080 redir_addr=127.0.0.1

                    rule_flags=<>

                    sess_flags=<REDIR,FW_DST>

                    Floret ID=1

                    SRC_zone=internal,external SRC_ports=1-65535

                    SRC_addr=all_v4

                    DST_zone=internal,external DST_ports=8111 [Firewall destination]

                    proto=tcp

                    "ipfilter -v"-

                    Rule Match ID 1 AF_INET - (ENABLED)

                    redir_zone=ANY redir_port=8080 redir_addr=localhost

                    rule_flags=1<A_TO_B>

                    direction=UNI stateful ICMP_Mask=0x00000018

                    sess_flags=180<REDIR,SHARE_STATE,RESET_TCP/REQUIRE_UDP_CKSUM,FW_DST>

                    Floret ID=1

                    SRC_zone=1,2 SRC_ports=1-65535

                    SRC_addr=0.0.0.0 - 255.255.255.255

                    DST_zone=1,2 DST_ports=8111 [Firewall destination]

                    proto=tcp

                    Do you see this "implicit" rule in the outputs?

                    -Matt

                     

                    • 7. Re: Version 8 - Using Active Passport
                      PhilM

                      Hi Matt

                       

                      I think the main difference between what both you and Sam have said and what I am trying to do is that you are selecting <Authenticated> in the rule you are creating.

                       

                      I can (and will) give this a try, just to confirm. But in my example, I am selecting the group name in my rule as this is how I would like to control access.

                       

                      When I disable my "Passport" rule, I can run the three commands Sam mentioned and in each case get nothing back in response. When I change the authentication criteria of my rule from "group_name" to "<Authenticated>" I still don't get any output in response to those three commands.

                       

                      If I run cf pol showtable | grep 8111  or ipfilter -v | grep 8111 - again nothing.

                       

                      As soon as I re-enable the Passport server rule, guess what?

                       

                      Rule Match ID 15 AF_INET - (ENABLED)

                          redir_port=8080 redir_addr=127.0.0.1

                          rule_flags=<>

                          sess_flags=<REDIR,FW_DST>

                          Floret ID=15

                          SRC_zone=internal,external SRC_ports=1-65535

                            SRC_addr=all

                          DST_zone=internal,external DST_ports=8111   [Firewall destination]

                          proto=tcp

                       

                      and

                       

                      Rule Match ID 15 AF_INET - (ENABLED)

                          redir_zone=ANY    redir_port=8080    redir_addr=localhost

                          rule_flags=1<A_TO_B>

                          direction=UNI stateful ICMP_Mask=0x00000018

                          sess_flags=180<REDIR,SHARE_STATE,RESET_TCP/REQUIRE_UDP_CKSUM,FW_DST>

                          Floret ID=15

                          SRC_zone=1,2 SRC_ports=1-65535

                            SRC_addr=0.0.0.0 - 255.255.255.255

                          DST_zone=1,2 DST_ports=8111  [Firewall destination]

                          proto=tcp

                       

                      It would seem that you (and Sam) and I are getting quite opposite results from our respective configurations. I am running 8.1.1.

                       

                      -Phil.

                       

                      p.s. Don't know if you have the means to move discussions around. I submitted a new one, but was a clutz and posted it in the parent forum, rather than specifically in the Firewall Enterprise one.

                      • 8. Re: Version 8 - Using Active Passport

                        Hello Phil,

                         

                        >It would seem that you (and Sam) and I are getting quite opposite results from our respective configurations. I am running 8.1.1.

                        I agree, and I think that it would probably make sense to create a ticket in support and gather information from you such as your ruleset. Something is going on here that we don't understand.

                         

                        -Matt

                         

                         

                        • 9. Re: Version 8 - Using Active Passport
                          PhilM

                          I'll get a ticket raised and will PM you the number so that you can keep an eye on it.

                           

                          -Phil.

                          1 2 Previous Next