CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 2 of 2

Thread: RSA SecureID auth to GAIA

  1. #1
    Join Date
    2016-09-23
    Posts
    1
    Rep Power
    0

    Default RSA SecureID auth to GAIA

    Hello. I'm pretty new to Checkpoint and am looking to configure our firewalls so that a number of users (in an AD group hopefully) can use their RSA fobs to authenticate to the web GUI as well as through SSH. We are using ver. 77.30 and currently login the Checkpoint servers via a local account and shared password.

    We currently authenticate our VPN connections using this method (pin and one-time code) as the RSA servers are setup as RADIUS servers, so I don't feel like there is much to do. I'm coming up short however in finding a doc that incorporates both the Checkpoint side configuration changes as well as the RSA side. So far, in RSA, I've added one Checkpoinnt server as a client. On the firewall itself I went to authentication manager and added one of the RSA servers as a RADIUS server.

    I'm pretty sure I'll have to at least do two more things. 1) create a firewall rule to allow traffic over the default port and 2) copy the sdconf.rec file to /var/ace. Any guidance or links to a document outlying this is appreciated.

    Thanks
    Last edited by Museon; 2016-09-25 at 17:57.

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,458
    Rep Power
    8

    Default Re: RSA SecureID auth to GAIA

    Quote Originally Posted by Museon View Post
    Hello. I'm pretty new to Checkpoint and am looking to configure our firewalls so that a number of users (in an AD group hopefully) can use their RSA fobs to authenticate to the web GUI as well as through SSH. We are using ver. 77.30 and currently login the Checkpoint servers via a local account and shared password.

    We currently authenticate our VPN connections using this method (pin and one-time code) as the RSA servers are setup as RADIUS servers, so I don't feel like there is much to do. I'm coming up short however in finding a doc that incorporates both the Checkpoint side configuration changes as well as the RSA side. So far, in RSA, I've added one Checkpoinnt server as a client. On the firewall itself I went to authentication manager and added one of the RSA servers as a RADIUS server.

    I'm pretty sure I'll have to at least do two more things. 1) create a firewall rule to allow traffic over the default port and 2) copy the sdconf.rec file to /var/ace. Any guidance or links to a document outlying this is appreciated.

    Thanks

    SSH/WebUI can only use tacacs or radius (that i know of) for authentication. What you would do is setup a radius server (maybe your RSA server has radius) and then basically tell the firewall to auth using radius to the RSA server.

    The way this works is the firewall has no idea RSA auth is being used, it just knows radius is flying around. Its then up to the radius server to interact with validating the token password.

    /var/ace is more for checkpoint as an application. What I mean is, say you want Legacy Auth or remote acces vpn or smart dashboard (drop RSA files on mgmt server).

    sk72940 has tips on radius servers.

    sk105542 has a better walk through on the radius bits on the OS (Gaia).

Similar Threads

  1. RSA SecureID - general question
    By manufc in forum Authentication
    Replies: 2
    Last Post: 2015-10-30, 10:13
  2. Number of auth. attempts with Client Auth
    By netgeo in forum Authentication
    Replies: 1
    Last Post: 2008-12-04, 18:04
  3. User Auth working as Session Auth
    By sergioaf in forum Authentication
    Replies: 2
    Last Post: 2007-01-31, 13:39
  4. Session Auth - SecureID Backend
    By gparedes in forum Authentication
    Replies: 2
    Last Post: 2006-11-01, 03:57
  5. Replies: 0
    Last Post: 2005-08-14, 11:58

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •