SecureRemote Authentication with RSA SecurID version 6.1

[cciesec2006]

Hi All,

I've spent a day on this without much success.

Enforcement module is Checkpoint NGx R61 with HFA_01 on
Nokia IPSO 4.1 build 33. Just a single firewall but I am running
Nokia VRRP on the enforcement module

SmartCenter is Checkpoint NGx R61 with HFA_01 on Nokia IPSO 4.1 build 33
as well.

Everything is running on eval license.

RSA SecurID is running on Windows 2003 Enterprise Server SP2. I also
SmartConsole installed on this server as well.

Nokia Enforcement module has an IP address of 10.209.84.36/24 with
the VRRP ip address of 10.209.94.35.

SmartCenter has an IP address of 10.209.84.37/24.

RSA SecurID has an IP address of 10.209.84.27/24.

I create an account on the RSA server called "testme" and give it
Administrator privilege. I also created an agent host for SmartCenter.
I then generate the file sdconf.rec for this agent host and dump it
into the /var/ace directory of the Smartcenter. Then I cpstop;cpstart
the SmartCenter. I then create an admin account on the Smartcenter
and give it SecurID. I can get log into the Smartcenter with account
I created on the RSA Server just fine. Everything is good so far.

I then created another agent host on the RSA server for the Nokia
firewall. on the Agent host for the nokia firewall, I specified "communication
server". I specified the ip address 10.209.84.36 for the agent host;
on the "secondary nodes", I specified the VRRP address of Nokia firewall.
I then generated the sdconf.rec file and dump it into the /var/ace directory
of the Nokia firewall. I then perform "cpstop;cpstart" on the nokia
firewalls.

I created "generic*" account with external profile on the smartcenter
and assigned "SecurID" for authentication. I then created a group users
called "test-group" and have generic* as member. I then created a
secureremote vpn rule via simplified mode. Finally I push the policy.

Now everything I try to authenticate via SecureRemote, I always see the
message on the RSA server log file as:

testme/dca2-nokia-1-P
access denied, bad user password.

I know that I have the right password because this testme account is
the admin account that I use to log onto the RSA server itself.

I've seen this error in the past and to fix it, I have to regenerate a new
sdconf.rec file. However, I've done it about 20 times already this time
around and it is still not working.

Can someone help please? Thanks.

[mcnallym]

There are two ways that you can fix this. Is actually an excellent answer in the RSA and the Check Point knowledgebase. The problem is that you don't always know which IP the Nokia will send to the RSA Server.

In some cases, the agent libraries (client side) will use the wrong interface IP in the decryption and authentication will fail. To overcome this, place a new text file "sdopts.rec" next to "sdconf.rec" with the line "CLIENT_IP=x.x.x.x" where "x.x.x.x" is the agent's primary IP as defined on the server (the IP of the interface that the server is routed to).

Use the vrrp address and place the sdopts.rec file on both boxes. It is what I do personally and works well. You will also need to copy the sdconf.rec file from the master to the secondary unit if you use the vrrp address

Check Point actually say to use the members IP address and have an entry for each box, saving the need to copy the sdconf.rec file. However I find you have to tell the box not to NAT doing this

To prevent the cluster member from hide NATing its unique IP, add the line "no_hide_services_ports = { .., <5500, 17> };" to the $FWDIR/lib/table.def file on Management Server and install policy.

the changes are lost when you upgrade the box so personally stick with using one entry and the cluster ip address in the sdopts.rec as it works across the upgrades as well.

[cciesec2006]

mcnallym,

thank you very much for your post and I will try what you suggested.

What bothered me is that this identical setup works perfectly with
checkpoint NG AI R55(w). What changes in NGx that makes it stop
working.

The other thing is that I use VRRP configuration even though I only
have a single device but I plan on adding another one in the future.

When running tcpdump on the Nokia, I see it source from the VRRP ip
address. If so, the secondary nodes on the RSA should take care of
this right?

Thanks.

[mcnallym]

To be honest I have been doing this NG FP3 as never worked properly unless I did to get vrrp to work with RSA Server, so not sure how work on R55 unless you have been lucky and the Check Point always sent with the correct address.

I find the secondary node config far too much work to do which is why use the sdopts.rec file instead to force to use an IP address.

[cciesec2006]

mcnallym,

your method works perfectly with NGx R61 with HFA_01.

However, I tried it on an NG Feature Pack 3 firewall and NG with AI R55w
firewall WITHOUT the sdopts.rec file and it works fine there and that I
have VRRP configured on ALL of the firewalls.

Just like you said, it is the luck of the draw I guess. Thanks again.