topic Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager in Firewall and Security Management

RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Milos_Jovovic — Tue, 17 Jul 2018 10:43:50 GMT

Hello Team,

I was going through integration of securID RSA Auth. Manager with CheckPoint Cluster (2x5200 NGGW's with 77.30 Gaia on it).

Made one object for checkpoint agent on RSA auth. manager console (with ip of CP cluster). What name i have to put here? There is written to put name of securID agent object in CheckPoint smart dashboard. What is that name (securID server object? or someting else?).

I have configured External user profile with match-all-users option (is this correct? we need to forward all auth request to RSA Auth. manager. In CheckPoint endpoint security vpn client we have three fields (username, PIN and token)). We have one passphrase (PIN and token), for one user. Is this only one factor or two? I am confused here.

I have configured this external user group to be part of new user group securid_user_grupa:

I have put authentication sheme securid for this external user profile:

I have put this user group in remote access community for RAVPN connections:

I have put the same sdconf.rec file on both gw's in cluster (active and standby) on path /var/ace/

Installed policy and authentication does not work, zero packets going from CP cluster to RSA auth. manager.

In vpn debug log files there is error “Access denied - wrong user name or password”.

It is like CP tries to authenticate users in internal user database in MGMT server.

I off course put in GW>>>VPNClient>Auth.>>>auth sheme to securID (chose securID server object).

Do I have to do cpstop/cpstart on gw's to make this work?

Eny suggestion? Maybe I have to change in external user profile type to match by domain?

Do i have to check this box omit domain name when auth. users?

Thanks Everyone for help.

Any help would be appreciated a lot.

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Milos_Jovovic — Tue, 17 Jul 2018 10:52:22 GMT

RSA agent host (CPGW cluster) name doubt from RSA guide:

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Milos_Jovovic — Tue, 17 Jul 2018 18:32:29 GMT

Anybody to help?

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

_Val_ — Wed, 18 Jul 2018 07:29:48 GMT

Hi Milos,

I assume you went through the RA VPN Admin Guide and still cannot find the solution to work.

There are quite a few step by step tutorials out there, such as this one or that one. Both are quite old, so screenshots and parameters might be looking a bit different with the version you are using.

The flow you have described above seems legit, but I suggest you go over the links I am giving you, just in case. If all the configuration details are good, you might need to start troubleshooting.

I advise you the following troubleshooting flow:

1. Make sure basic VPN auth is working for you. To do so, add a local test user account on your management, put it into the VPN auth scheme and check it can authenticate and establish a RA VPN.

2. Repeat the same test with a RADIUS user.

3. If it is still not working for you, check the following:

a. Connectivity to RADIUS auth server from FW. Make sure FW can reach RADIUS server without an issue.
b. Run a trace during authentication request between FW and RADIUS server. Make sure RADIUS responds.

c. What is the response? If auth error, look at the RADIUS logs to see why it was rejected.
d. How FW is talking to RADIUS? Since it is a cluster, does it use VIP or physical IP? Check that RADIUS server does not reject FW request because of IP mismatch.

If this does not help, let me know.

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Milos_Jovovic — Wed, 18 Jul 2018 08:34:52 GMT

Thank You Valeri,

RAVPN works as a charm with cp user/pass.

We do not need radius, customer wants only securID (UDP agent -UDP5500 port uses).

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

_Val_ — Wed, 18 Jul 2018 09:19:43 GMT

Okay, sorry for that mistake.
However, the troubleshooting steps stand. I can see you are using this RSA user guide to configure your system. Assuming you did the configuration as described there on both sides, look into inter-communication between SecureID and FW cluster. The same recommendations as for step 3 above, just for SecureID and not RADIUS.

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Milos_Jovovic — Wed, 18 Jul 2018 09:55:01 GMT

Thank You.

One missundersanding here just to clarify:

In EndPoint VPN client we have the following three fields (when chosen securID HW token-as customer has/wants):

We configured in Smart Dashboard only one factor: securID.

Are these all three fields regarding this securID auth sheme chosen in Smart Dashboard?

username confuses me a lot here

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

_Val_ — Wed, 18 Jul 2018 11:41:18 GMT

Tokens are assigned to particular users, aren't they? Username still stands.

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Milos_Jovovic — Wed, 18 Jul 2018 12:38:48 GMT

I can not remove a PIN option/field from CheckPoint EndPoint VPN client (when securID chosen).

On RSA side (auth.manager/server) a token is stick with a username (user) and after that PIN is connected with token.

Theory should be clear.

But for some reason zero packets are sent to RSA auth.manager when RAVPN connection is

made (fwmonitor- no packets captured). And vpn debug logs whos wrong username/password (like that there is chosen in VPNclients>>>auth>>>user/pass). I have chosen secureID as auth sheme, not username pass.

A customer on RSA side has configured CheckPoint agent host like:

This hostname I am not sure is it correct (a customer put CheckPoint).

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Milos_Jovovic — Wed, 18 Jul 2018 12:43:25 GMT

10.10.7.1 is VIP od CheckPoint Cluster (2x5200 R77.30 GW's)

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

_Val_ — Wed, 18 Jul 2018 12:45:15 GMT

Okay, so your problem is that the request is not sent to SecureID server. After timeout you have auth error, of course. Check config on MGMT (Objects, IPs and Auth server details) and GW (sdconf, etc) side and of course, make sure FW is not dropping its own traffic to RSA.

If you are lost, it does not hurt to open a support request.

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Milos_Jovovic — Wed, 18 Jul 2018 12:52:13 GMT

CheckPoint cluster and RSA auth. server have full network visibility (all services are allowed).

I opened a ticked/Service request but with no luck (CP did not conclude what is the catch).

Do i need to perform CPSTOP and CPSTART to make this work?

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Aldwin_Aquino — Fri, 06 Dec 2019 02:26:14 GMT

Hi, you able to resolve the issue?

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

DanielAmlung — Tue, 31 Mar 2020 12:56:56 GMT

I would like to push this Topic - i also do have issues with my RSA connections.We replaced our gateways with new hardware and installed R80.30. I cleared node secret for both agents and downloaded the sdconf.rec file from the rsa server. Then copied the file to /var/ace and also changed rights on that file to 777

Its the same setup as descriped and also the same error messages in

vpnd log "[ACE5] au_sd_ace_io_trigger(au=a00e650): ** USER/PW DENIED BY ACE **"

client log "IKE connection failed, error code=-1000. Reason: Access denied - wrong user name or password"

RSA real time monitor has the following output:

Log Level: ERROR

Activity Key: Principal authentication

Description: User "XXX" attempted to authenticate using authenticator "SecureID_Native". The user belongs to security domain "SystemDomain"

Result: Authentication method failed

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

DanielAmlung — Mon, 06 Apr 2020 11:50:06 GMT

I found a solution for my problem: as suggested here in the Admin Guide "https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SecurityManagement_AdminGuide/html_frameset.htm" add the file "sdopts.rec" to the /var/ace folder. The file should contain the CLIENT_IP=(ip) line, where (ip) is the primary IP address of the Security Gateway, as defined on the ACE/Server. This is the IP address of the interface to which the server is routed.

I did that before and it didnt work - after somedays i found a blog post where its written that you need to a space between = and the IP address - CLIENT_IP= (IP) - This did the trick and authentication now works!