CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have sign-ups from twelve different countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 7/14, 8/25, 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Authentication
Reload this Page Secureid Integration with RAdius server and checkpoing fw-1
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-05-10
kpatel kpatel is offline
Junior Member
  
Join Date: 2006-06-08
Posts: 9
Rep Power: 0
kpatel has an average reputation (10+)
Default Secureid Integration with RAdius server and checkpoing fw-1
Background:
We currently have two divisions using different VPN authentication models that we need to combine. Our EC division uses native ACE with RSA tokens and the generic* group. Our CIS division uses Shiva RADIUS with VASCO tokens and just has to list the RadIUS groups on the Checkpoint firewall rulebase. They have role based VPN access where EC does not. the plan is to migrate the CIS implimentation onto the EC implimentation and replace all VASCo tokens with RSA tokens while maintaining their role based access and not requiring every individual username to be created on the firewall. Our initial thought was to use ACE server as RADIUS server and create the groups there while pulling in the usernames from Active Directory with LDAP sync but we have been having trouble getting the attributes to do what we want(Tom Hartig, one of my engineers can fill in the details here) So we are looking to talk through how we can best accomplish this integration. Maybe it would be best to keep the Shiva?
I am also curious about what the Active Directory integration opportunities are to be able to reduce the amount of userstores. How can RSA/RADIUS play with AD/IAS? How does the authentication flow work?

any ideas?
Reply With Quote
  #2 (permalink)  
Old 2007-06-06
munrog munrog is offline
Member
  
Join Date: 2006-06-27
Location: New Zealand
Posts: 70
Rep Power: 3
munrog has an average reputation (10+)
Send a message via MSN to munrog Send a message via Skype™ to munrog
Default Re: Secureid Integration with RAdius server and checkpoing fw-1
If you have the SMARTDirectory or PRO Addon license, then through the use of the LDAP protocol you can leverage Active Directory as a single authentication and user directory store.

You could set up an Active Directory Application Mode (ADAM) instance and then use the Check Point extended attributes to point the Firewalls at the specific Authentication service that each user needs to use.

The advantage of using an ADAM instance is that you wont have to play around with your production AD instance to get this working.

If you want to go the whole way, you could extend your ADAM instance with the CP attributes and then also implement the RSA/SecurID intregration for self provisioning etc. Dunno whether the VASCO side has this or not, I've not played with it.

Configuration information for Check Point and Active Directory is found in the standard Check Point documentation. However, configuration information for Check Point and ADAM is available in this guide.

Cheers
Greg
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 19:52.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0