CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Page 2 of 2 FirstFirst 12
Results 21 to 26 of 26

Thread: Trying to get RSA SecureID Tokens working

  1. #21
    Join Date
    2005-11-18
    Posts
    59
    Rep Power
    12

    Default Re: Trying to get RSA SecureID Tokens working

    Still nothing working here.

    This is what I'm planning for the weekend. Based on the following DOC which is the newest I can find from Checkpoint.


    My question is what needs to be done regarding the object creation on the firewall. Do I still need to create the secureid object from the smartdashboard and import the sdconf.rec file?
    Should I be skipping all of the stuff below and just importing the rec file to the management server and it knows what to do now?
    There really isn't any good current doc on this



    Integrating RSA ACE server with VPN-1/FireWall-1 R55 Gateway cluster for SecurID authentication

    Environment
    xxx.131.xxx.167 primary_int
    xxx.131.xxx.168 secondary_int
    xxx.131.xxx.162 cluster_int (VIP)
    xxx.130.xxx..19 ace_server
    xxx.130.xxx..22 ace_server

    On the ACE Server
    1) Create an agent host for xxx.131.xxx.162.
    2) Generate the node secret file for the agent host xxx.131.xxx.162.
    3) Verify the SecurID user has been activated for the agent host xxx.131.xxx.162.
    4) Generate the sdconf.rec file for the agent host xxx.131.xxx.162.
    5) Copy the sdconf.rec file generated for the agent host xxx.131.xxx.162 to the primary gateway.
    6) Copy the sdconf.rec file generated for the agent host xxx.131.xxx.162 to the secondary gateway.
    Note: If using FTP for file transfer use binary mode to prevent file corruption.

    On the primary gateway
    1) Type cpstop to stop the firewall services.
    2) Copy the sdconf.rec file generated for the agent host xxx.131.xxx.162 to the following directory:
    /var/ace (for UNIX)
    3) In some cases, the agent libraries on the primary firewall (client side) will use the wrong
    interface IP in the decryption, causing authentication to fail. To prevent this create a blank
    text file with the filename sdopts.rec in the following directory:
    /var/ace (for UNIX)
    4) Edit the sdopts.rec file and enter the following line:
    CLIENT_IP=xxx.131.xxx.162
    5) Save the edited sdopts.rec file and exit the editor.
    6) Type cpstart to start the firewall services.

    On the secondary gateway
    1) Type cpstop to stop the firewall services.
    2) Copy the sdconf.rec file generated for the agent host xxx.131.xxx.162 to the following directory:
    /var/ace (for UNIX)
    3) In some cases, the agent libraries on the secondary firewall (client side) will use the wrong
    interface IP in the decryption, causing authentication to fail. To prevent this, create a
    blank text file with the filename sdopts.rec in the following directory:
    /var/ace (for UNIX)
    4) Edit the sdopts.rec file and enter the following line:
    CLIENT_IP=xxx.131.xxx.162
    5) Save the edited sdopts.rec file and exit the editor.
    6) Type cpstart to start the firewall services.

    On the SmartCenter Server (Management module)
    1) Type cpstop to stop the firewall services.
    2) Backup the $FWDIR/lib/table.def file.
    3) Edit the $FWDIR/lib/table.def file with a text editor.
    Note: The procedures to edit the table.def file is for the purpose of preventing the cluster member from hide NATing its own real IP address.
    4) Locate the line starting with the string no_hide_services_ports, which looks like the following:
    no_hide_services_ports = { <500, 17>, <259, 17>, <1701, 17> };
    5) Change to:
    no_hide_services_ports = { <500, 17>, <259, 17>, <1701, 17>, <5500,17> };
    6) Save the edited table.def file and exit the editor.
    Note: When the version or HFA of the SmartCenter Server (management module) is upgraded, the changes made to table.def file are lost.
    7) Type cpstart to start the firewall services.
    8) Log in to SmartDashboard.
    9) Install the Security Policy.

    On the primary gateway
    1) Assuming that the primary firewall is now the active firewall handling the Securid
    authentication connection, initiate a connection that will trigger the SecurID authentication
    with the primary gateway
    2) The following two files will be generated in the /var/ace (for UNIX)
    sdstatus.12
    securid
    3) Copy the sdstatus.12 and securid files to the following directory on the secondary gateway:
    /var/ace (UNIX)
    At this point, SecurID authentication will work for both the primary and secondary gateway

  2. #22
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    904
    Rep Power
    12

    Default Re: Trying to get RSA SecureID Tokens working

    Quote Originally Posted by jflemingeds View Post
    I just turned RSA on firewall 3 weeks ago and it was not working until I changed to VIP.

    Out bound connections are hidden behind the VIP by default, unless you've disabled this (no nat, edit a .def files, etc).

    I think before making any more assumptions you need to validate which IP the RSA server is seeing. You could do a packet capture on the RSA server or maybe there is a decent log file that can show the source IP. Not sure.

    JUST a FYI I did not have access to the RSA server. I've just requested the files.
    I believe this is properly addressed in the admin guide. Effectively, GW originated connection is NAT-ed with VIP, unless table.def is modified to "no nat" for UDP 5500. Although without modifying it works with VIP address, you loos ability to know which particular cluster member requests authentication. May be useful for troubleshooting.

    Important: for VSX, if "private" mode is enabled for authentication, do not modify table.def, as VS will try to send "funny IP" address, and it will never work.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  3. #23
    Join Date
    2005-11-18
    Posts
    59
    Rep Power
    12

    Default Re: Trying to get RSA SecureID Tokens working

    Fail again this weekend.

    Here is what I did. We are trying to get it working using the VIP address this time as recommended by CPUG since the other would not work.

    Received a fresh config file from our RSA admin. Imported it into the Checkpoint object.
    Copied the file to both gateways and removed any existing files.

    Created the sdopts.rec file and entered the following line:
    CLIENT_IP=207.131.147.162

    Bounced the firewalls and pushed policy.

    The sdstatus.12 file is created when testing the logon so we know we are talking with the RSA servers.
    The logon fails.

    RSA server shows the following
    Activity Key Action Result Key Result Key Result
    Lookup Authentication Agent Failure AUTH_AGENT_NOT_FOUND Authentication agent not found



    Sprry doesn't format right and I can't upload screenshots for some reason anymore.

  4. #24
    Join Date
    2005-11-18
    Posts
    59
    Rep Power
    12

    Default Re: Trying to get RSA SecureID Tokens working

    Just found this on the RSA site. Describes the error we are seeing on their server.

    https://community.rsa.com/docs/DOC-61681

  5. #25
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    904
    Rep Power
    12

    Default Re: Trying to get RSA SecureID Tokens working

    Quote Originally Posted by phlegm View Post
    Just found this on the RSA site. Describes the error we are seeing on their server.

    https://community.rsa.com/docs/DOC-61681
    Check what is defined on RSA side. It has to be consistent with what is set on CP cluster. We have already discussed here two different cases of VIP and private cluster IP addresses. Just make it consistent, it should be working out of the box.

    You may want to snoop SecureID requests coming from your FW to make sure whi IP is used as a source.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  6. #26
    Join Date
    2005-11-18
    Posts
    59
    Rep Power
    12

    Default Re: Trying to get RSA SecureID Tokens working

    So.... Update.

    We left things for the holidays and today went back to give it another try.
    Got our support on the phone and they got Checkpoint on the phone.

    Setup some sniffing and monitoring and tested our logon.
    It worked.

    I'm happy that it is working now but not pleased that we havce no idea why. Ugh.

    Thanks for all the help and tips people. I wish I had a better explanation for the next person to read this thread because they are having a similiar issue.

Page 2 of 2 FirstFirst 12

Similar Threads

  1. RSA SecureID - general question
    By manufc in forum Authentication
    Replies: 2
    Last Post: 2015-10-30, 10:13
  2. SecureID port not working after Upgrade
    By zahaha04 in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 3
    Last Post: 2011-01-23, 23:28
  3. ip appliances with SecureID integration
    By lunatrick in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 1
    Last Post: 2010-11-30, 09:38
  4. Problem authenticating RSA tokens via secure remote
    By DarTh LuKe in forum Authentication
    Replies: 3
    Last Post: 2009-11-18, 10:26
  5. SecureID config during upgrade
    By rubber_chicken in forum Installing And Upgrading
    Replies: 1
    Last Post: 2006-09-21, 08:54

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •