SecureClient on Pocket PC with SecurID

[jrdld]

Does anyone have SecurID authentication working with SecureClient for PPC? Although P say it is supported and even tell you how to do it their PPC manual, we just cannot get it to accept the passcode. CP haven't been much help on this.

JR

[czech12]

I would think it is the same for SecureClient for Windows. Do you have users that utilize regular SecureClient for Windows that are authenticating properly, or do you not know if the Check Point/RSA traffic is working at all?

Also are you using native SecurID or SecurID over RADIUS?

[jrdld]

It's working fine for Windows clients. We use direct SecurID authentication, rather than via RADIUS. I can authenticate with my own token from a Windows PC, but not from a PDA. I've had others try as well, so it's nothing to do with my user account or token. If I change the user configuration to use password authentication, it works from the PDA, so SecureClient on the PDA seems ok. It's just that it doesn't seem to handle SecurID properly.

JR

[Lackie]

I thought I remember that the ppc client works like a 4.1 client and can't download the topology with a Radius password. I believe you can still use Radius but also have to set up a user for the ppc clients for topology download.

Again, not sure if this is what's happening... will look for more information on it.

[jrdld]

Here's a quote from the "Supported Features" section of the PPC release notes:

6 Topology download (New Site and Update Site) is supported in the following ways:
• Unauthenticated, if the option Respond to unauthenticated topology requests is
enabled on the Management station, topology data is not authenticated and not
encrypted (it is signed, however).
This method is supported only when the Site is defined as the Management server,
and it is of version NG FP1 or older (NG FP2 Management no longer supports this
method).
• Authenticated, the user defines the Site as one of the Gateways. The user needs to
have a Certificate or an IKE pre-shared secret and should be defined in the User
Properties Encryption tab.
• Topology User, if you are not using IKE pre-shared secrets for general authentication
and encryption, you can define a Topology User (for New Site and Update Site
operations) in the following way:
Check Point SecureClient for Pocket PC 2003 5
Define one user (with IKE authentication enabled) to be used by all remote users
only for defining and updating sites. You should block encryption capabilities for this
user. To implement this workaround, proceed as follows:
a In the Location tab of the user’s User Properties window, set Source and
Destination to None.
b In the Time tab of the user’s User Properties window, uncheck all the days.
c In the Desktop Security tab of the Properties Setup window, uncheck Respond to
unauthenticated topology requests.

7 Supported authentication schemes (for IKE) include PKCS#12 certificates and any
challenge-response mechanism, including User/Password, One Time Passwords (RSA
SecureID) etc.
The user can enter a SecureID pass-code by selecting User/Password in the
Authentication window, entering the RSA user-id in the user field, and the PIN
followed by the token code in the password field. New Pin mode is also supported.

They're claiming that both topology download and SecurID are supported, although I don't see the relevance of topology download to my problem.

Incidentally, I'm using a "tested device", the iPAQ 5550.

JR

[Lackie]

Topology download is supported with PPC but not with a Radius password. In the information that you posted, you have two options. 1. you are connecting to a managment station and set it up to be Unauthenticated, or 2. set up the Topo user as it gives instructions for.

[Sergej]

Do not forget to disable topology updates (somewhere in SmartConsole Properties) if you use a special Topo user. Otherwise you will need to login with this special static user once per month. My opinion such behavior brake 2fackor authentication benefits.

[eddie]

With regards to setting up a Topology User -

In the user properties location tab, how do you set the location source and destination to 'none'?

[Lackie]

Setting it to none would kind of defeat the purpose as the user has to be 'somewhere' to be able to use it.