Environment
Novell Access Management 3 Linux Access Gateway
Novell Access Manager 3 Interim Release 2 applied
Situation
When a user authenticates to the IDP server when accessing a
protected resource on the Access Gateway server, a cookie is set
for the lifetime of that session. Subsequent requests to the Access
Gateway will include this session cookie. The Access Gateway proxy
service will parse this session cookie and validate it - one
validation test is to make sure that the IP address of the
user-agent that authenticated initially is the same as the one that
is sending subsequent requests with that cookie. The goal of this
is to prevent session hijacking.
There appears to be an inconsistency between the Linux Access Gateway (LAG) and the NetWare Access Gateway (NAG) on this. The NAG does it by default but the LAG does not appear to do any IP address checks.
There appears to be an inconsistency between the Linux Access Gateway (LAG) and the NetWare Access Gateway (NAG) on this. The NAG does it by default but the LAG does not appear to do any IP address checks.
Resolution
The LAG update in Access Manager Support Pack 1 Beta 1 and onwards
will do IP address checks. If an administrator needs to disable
this for any reason, it can be done by creating the file
/etc/lagDisableAuthIPCheck and doing an "apply" to apply the
configuration change.
The corresponding switch on the NAG, available with all NAG builds, is to load the proxy in the appstart.ncf file with the '-ri' option (remove IP address check) eg. load proxy -ri.
The corresponding switch on the NAG, available with all NAG builds, is to load the proxy in the appstart.ncf file with the '-ri' option (remove IP address check) eg. load proxy -ri.