CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: MS AD and SecurID VPN Client Authentication

  1. #1
    Join Date
    2016-05-08
    Posts
    5
    Rep Power
    0

    Default MS AD and SecurID VPN Client Authentication

    Good Evening,

    I've been trying to setup a VPN solution using the VPN client where it first requires a user to enter their Active Directory Username and Password and then prompt for a token code, in my case at the moment Im trying with RSA SecurID, but willing to try other token solutions such as SafeNet, SecurEnvoy, etc.

    I can get it to authenticate with AD on its own or with SecurID on its own, but not combined. I can't find any documentation or articles on the internet that explain how to do this.

    Just hoping somebody can help?

    Kind Regards

    Mark.

  2. #2
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,146
    Rep Power
    12

    Default Re: MS AD and SecurID VPN Client Authentication

    U need to setup the SecureID ssrver to check the validity of the AD account with the AD server.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,648
    Rep Power
    9

    Default Re: MS AD and SecurID VPN Client Authentication

    Quote Originally Posted by oldhamuk View Post
    Good Evening,

    I've been trying to setup a VPN solution using the VPN client where it first requires a user to enter their Active Directory Username and Password and then prompt for a token code, in my case at the moment Im trying with RSA SecurID, but willing to try other token solutions such as SafeNet, SecurEnvoy, etc.

    I can get it to authenticate with AD on its own or with SecurID on its own, but not combined. I can't find any documentation or articles on the internet that explain how to do this.

    Just hoping somebody can help?

    Kind Regards

    Mark.
    This seems odd to me. Why would you want the user to enter AD login info and then a secureid token? Wouldn't you only want the user to enter their securid token+pin?

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,648
    Rep Power
    9

    Default Re: MS AD and SecurID VPN Client Authentication

    I'm not sure if what Maarten posted answered you question, but this SK seems to cover what i think your trying to do. Never knew about this myself.

    sk86240

    Multiple Authentication Schemes for Mobile Access / Remote Access

    Looks like it defines how you can use Username/Password (which is what i would except LDAP to fall under) and then SecurID.

    Still not sure why you would want to do that though. If you can please explain. I might be missing something interesting.

  5. #5
    Join Date
    2016-05-08
    Posts
    5
    Rep Power
    0

    Default Re: MS AD and SecurID VPN Client Authentication

    Thanks for the replies, I'll have a read of the SK and hopefully it will be what I'm after.

    The reason behind it is because I want to drop the PIN and replace it with the AD Password to make the two factor. The main reason for this is so users don't have to remember another 'password/PIN' as its just another thing for them to forget.

    I'm keen to hear if people think this is a bad idea and why as we're still in a POC stage and happy to hear good and bad comments/thoughts of doing it this way, or if people have other ideas.

    Thanks

    Mark.

  6. #6
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,648
    Rep Power
    9

    Default Re: MS AD and SecurID VPN Client Authentication

    Well, yeah i think this is a bad idea. I hear you on the pain of yet another password, but you wouldn't be exposing AD creds to the internet if you only used SecurID for login auth.

  7. #7
    Join Date
    2016-05-08
    Posts
    5
    Rep Power
    0

    Default Re: MS AD and SecurID VPN Client Authentication

    I do agree with you there and on a number of occasions have thought the same both in my current role and at other companies with regards the credentials. Although currently they are already exposed through the use of webmail and mobile mail solutions to name two, but you could then say its best to keep the foot print small and therefore opt for the PIN and Passcode like you say.

    I'll probably include this in the POC outcome report before a choice is made.

    Regards

    Mark.

  8. #8
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,648
    Rep Power
    9

    Default Re: MS AD and SecurID VPN Client Authentication

    Quote Originally Posted by oldhamuk View Post
    I do agree with you there and on a number of occasions have thought the same both in my current role and at other companies with regards the credentials. Although currently they are already exposed through the use of webmail and mobile mail solutions to name two, but you could then say its best to keep the foot print small and therefore opt for the PIN and Passcode like you say.

    I'll probably include this in the POC outcome report before a choice is made.

    Regards

    Mark.
    Yeah, i was going to say they were most likely exposed through another method. In theory you could put all your inet webmail behind the firewall so that its only accessible once authenticated but getting there can be tricky and costly (man hours etc).

    Keeping that in mind it might be a hard sell to say only use 2Fa for remote access and not those other utilities.

    Anyway, good luck!

Similar Threads

  1. VSX and SecurID authentication
    By Pascal01 in forum VPN-1 VSX
    Replies: 0
    Last Post: 2012-09-12, 02:16
  2. Provider-1 with RSA SecurID Authentication
    By cciesec2006 in forum Authentication
    Replies: 8
    Last Post: 2008-07-25, 08:03
  3. P-1 and RSA SecurID authentication
    By cciesec2006 in forum Provider-1 (Multi-Domain Management)
    Replies: 4
    Last Post: 2007-11-29, 11:01
  4. SecurID Authentication Fails After First Try
    By roadrunner in forum Authentication
    Replies: 0
    Last Post: 2005-08-13, 16:30
  5. SecuRemote CLI and SecurID Authentication
    By roadrunner in forum SecureClient/SecuRemote
    Replies: 0
    Last Post: 2005-08-13, 16:24

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •