Thread: SecureRemote Authentication with RSA SecurID version 6.1
View Single Post
  #1 (permalink)  
Old 2007-07-09
cciesec2006 cciesec2006 is online now
Senior Member
  
Join Date: 2006-09-26
Posts: 821
Rep Power: 3
cciesec2006 has an average reputation (10+)
Default SecureRemote Authentication with RSA SecurID version 6.1
Hi All,

I've spent a day on this without much success.

Enforcement module is Checkpoint NGx R61 with HFA_01 on
Nokia IPSO 4.1 build 33. Just a single firewall but I am running
Nokia VRRP on the enforcement module

SmartCenter is Checkpoint NGx R61 with HFA_01 on Nokia IPSO 4.1 build 33
as well.

Everything is running on eval license.

RSA SecurID is running on Windows 2003 Enterprise Server SP2. I also
SmartConsole installed on this server as well.

Nokia Enforcement module has an IP address of 10.209.84.36/24 with
the VRRP ip address of 10.209.94.35.

SmartCenter has an IP address of 10.209.84.37/24.

RSA SecurID has an IP address of 10.209.84.27/24.

I create an account on the RSA server called "testme" and give it
Administrator privilege. I also created an agent host for SmartCenter.
I then generate the file sdconf.rec for this agent host and dump it
into the /var/ace directory of the Smartcenter. Then I cpstop;cpstart
the SmartCenter. I then create an admin account on the Smartcenter
and give it SecurID. I can get log into the Smartcenter with account
I created on the RSA Server just fine. Everything is good so far.

I then created another agent host on the RSA server for the Nokia
firewall. on the Agent host for the nokia firewall, I specified "communication
server". I specified the ip address 10.209.84.36 for the agent host;
on the "secondary nodes", I specified the VRRP address of Nokia firewall.
I then generated the sdconf.rec file and dump it into the /var/ace directory
of the Nokia firewall. I then perform "cpstop;cpstart" on the nokia
firewalls.

I created "generic*" account with external profile on the smartcenter
and assigned "SecurID" for authentication. I then created a group users
called "test-group" and have generic* as member. I then created a
secureremote vpn rule via simplified mode. Finally I push the policy.

Now everything I try to authenticate via SecureRemote, I always see the
message on the RSA server log file as:

testme/dca2-nokia-1-P
access denied, bad user password.

I know that I have the right password because this testme account is
the admin account that I use to log onto the RSA server itself.

I've seen this error in the past and to fix it, I have to regenerate a new
sdconf.rec file. However, I've done it about 20 times already this time
around and it is still not working.

Can someone help please? Thanks.
Reply With Quote