RSA Authentication on NG R55 MGMT

[wiz4rd]

Hello guys,

I'm in trouble with configuration RSA on NG R55.

How do I authenticate myself on Management via RSA ?


I have done these steps:

1) Under administrator I have created one user and authentcation scheme "use Radius"

2) Under radius server i have create on server with the host (radius host) and version 2

3) Policy from MGMT to Radius server service udp 1812.


I remember that I have made the same on NGX and all works fine there.

Thank you Gurus :)

[chillyjim]

Why use RADIUS and not SDI? (Assuming SPLAT here) create /var/ace and copy the sdconf.rec file to it you can set your management users to SecureID Authentication and all should be happy.

The one problem I've had with RSA is if you have more than one interface you really need to create the sdopts.rec file as such

# Place a new text file sdopts.rec next to the sdconf.rec file in the /var/ace directory.

# In the sdopts.rec file, insert the line CLIENT_IP=x.x.x.x, where "x.x.x.x" is the Cluster member's primary IP address, as defined on the ACE server.

[wiz4rd]

Hi,

Thx for answer.

I tryed your way but the connection instead on 1812 udp is on 5500 udp.

Any ideas ? :)

[chillyjim]

5500 udp is the native SecureID port.

RSA/ACE supports two protocols

RADIUS and SDI. SDI has better support for the different token modes. RADIUS is for supporting devices that don't do SDI. RSA will tell you that the included RADIUS server isn't really useful as a general purpose RADIUS server and should not be used as such.

[wiz4rd]

My o.s. is win3k.,

I have put that file on c:\windows\system32 but in the log I see that the MGMT try to connect to ip address of my server rsa but the ip address is wrong.

I have used also the editor of rsa on sdconf.rec to change ip address but the error is the same :(.


Thank you for your support

[wiz4rd]

news,

Also when I deleted the sdconf.rec the ip address of rsa is the same wrong, i'm little confused without that file I shouldn't see any request on 5500.

Thx

[wiz4rd]

Oki now works fine,


I had to stop and restart fw1 service :).

Another question is possible to do the same on checkpoint 4.1 ? Because I can install database only on gateway and not on mgmt.

Many thanks again :)

[Maliklahore]

Hi All
Under the same Issue :-( i am not allowed to post new?I dont know y?Anyway. I have an Issue related to the same subject.

1. I have RSA ACE Server
2. R55 MGMT.
3. Citrix CAG WI
4.RADIUS key placed in ACE
Rules for VPN are >>VPN User>any>any>any
Authantication type RADIUS + S.ID
Agent host defined Both Citrix + FW + ACE.
sdrec.conf was placed etc....
Everything was working fine.

I have upgraded RSA ACE Server and then >>>>>>its starts>>>
1. Users coming through Citrix WI CAG box are athunticated through RSA Secure ID token workes fine.

but

When same Users tried from Secure remote VPN my RSA gives me this error.

From: 03/27/2007 11:22:35 Activity Log Monitor Date:
03/27/2007 11:27:54
For: All Users Page: 1 of 1


Description (Site) Server


03/27/2007 10:24:36U musman/CITRIX 000076476130/Malik
03/27/2007 11:24:36L Passcode accepted rsaserver.abc.ie
03/27/2007 10:26:26U musman/FIREWALL 000076476130/Malik
03/27/2007 11:26:26L ACCESS DENIED, passcode incorrect rsaserver.abc.ie
03/27/2007 10:27:31U musman/FIREWALL 000076476130/Malik
03/27/2007 11:27:31L ACCESS DENIED, passcode incorrect rsaserver.abc.ie


Any Idea ?
Communication between RSA and Firewall is fine Rules are opend and was working fine there was no Issue. Same user Same Token is accepted as you can c in log. but same user with same token is ACCESS DENIED passcode incorrect when comes from Firewall >>>>

Thanks
MUsman

[Maliklahore]

I got the Solution .... have a look

1. The file to copy is "sdconf.rec", located in the ACE\data directory of the server. Copy to a directory on the firewall module (Not firewall management):

Windows: \winnt\system32

Unix/Linux: var/ace

2. On the RSA/ACE server, create a client for the firewall. Client type is:

Windows: NetOS

Unix/Linux: Unix Client

3. If the ACE/Server log says "Access denied/passcode incorrect" when authenticating through the firewall, you need to do more work as follows.



The problem is due to the firewall having more than one interface.



4. Install the ACE/Agent on the firewall. This will also install other diagnostic utilities.

5. Use the ACE/Agent utility, sdcfgval, to determine the IP address and name used by the ACE/Agent on the firewall.

From the ace/prog directory of the firewall, run

(Unix/Linux shown below):

# ./sdcfgval current_host

# ./sdcfgval current_host_addr

6. Use the name and address given by the two commands above to be the primary entry in the ACE/Server client database.

7. Add the other IP addresses of the firewall as secondary nodes.



Before trying to authenticate again, remove the node secret:

1. Delete the securid file from the firewall:

Windows: \winnt\system32

Unix/Linux: var/ace

2. On the ACE/Server, edit the firewall client, and clear the "node secret sent" box from the ACE/Server



Other things:

1. Make sure the firewall and the ACE/Server are time synchronized

2. Make sure your firewall rules allow SecurID communications going through

(the firewall implied rule is doing it already)