cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Hello Team,

I was going through integration of securID RSA Auth. Manager with CheckPoint Cluster (2x5200 NGGW's with 77.30 Gaia on it).

Made one object for checkpoint agent on RSA auth. manager console (with ip of CP cluster). What name i have to put here? There is written to put name of securID agent object in CheckPoint smart dashboard. What is that name (securID server object? or someting else?). 

name of rsa agent object

I have configured External user profile with match-all-users option (is this correct? we need to forward all auth request to RSA Auth. manager. In CheckPoint endpoint security vpn client we have three fields (username, PIN and token)). We have one passphrase (PIN and token), for one user. Is this only one factor or two? I am confused here. 

external user group - generic*

I have configured this external user group to be part of new user group securid_user_grupa:

external user profile as part of user group

I have put authentication sheme securid for this external user profile:

external user profile authentication sheme

I have put this user group in remote access community for RAVPN connections:

remoteaccess community with securid user group in it

I have put the same sdconf.rec file on both gw's in cluster (active and standby) on path /var/ace/

Installed policy and authentication does not work, zero packets going from CP cluster to RSA auth. manager.

In vpn debug log files there is error “Access denied - wrong user name or password”.

It is like CP tries to authenticate users in internal user database in MGMT server.

I off course put in GW>>>VPNClient>Auth.>>>auth sheme to securID (chose securID server object).

Do I have to do cpstop/cpstart on gw's to make this work?

Eny suggestion? Maybe I have to change in external user profile type to match by domain?

external user profile details

Do i have to check this box omit domain name when auth. users?

Thanks Everyone for help.

Any help would be appreciated a lot.

0 Kudos
12 Replies

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

RSA agent host (CPGW cluster) name doubt from RSA guide:

rsa CP agent host

0 Kudos

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Anybody to help? Smiley Happy

0 Kudos

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Hi Milos,

I assume you went through the RA VPN Admin Guide and still cannot find the solution to work. 

There are quite a few step by step tutorials out there, such as this one or that one. Both are quite old, so screenshots and parameters might be looking a bit different with the version you are using. 

The flow you have described above seems legit, but I suggest you go over the links I am giving you, just in case. If all the configuration details are good, you might need to start troubleshooting.

I advise you the following troubleshooting flow:

1. Make sure basic VPN auth is working for you. To do so, add a local test user account on your management, put it into the VPN auth scheme and check it can authenticate and establish a RA VPN.

2. Repeat the same test with a RADIUS user.

3. If it is still not working for you, check the following:

   a. Connectivity to RADIUS auth server from FW. Make sure FW can reach RADIUS server without an issue. 
   b. Run a trace during authentication request between FW and RADIUS server. Make sure RADIUS responds.

   c. What is the response? If auth error, look at the RADIUS logs to see why it was rejected. 
   d. How FW is talking to RADIUS? Since it is a cluster, does it use VIP or physical IP? Check that RADIUS server does not reject FW request because of IP mismatch.

If this does not help, let me know.

0 Kudos

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Thank You Valeri,

RAVPN works as a charm with cp user/pass. 

We do not need radius, customer wants only securID (UDP agent -UDP5500 port uses).

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Okay, sorry for that mistake.
However, the troubleshooting steps stand. I can see you are using this RSA user guide to configure your system. Assuming you did the configuration as described there on both sides, look into inter-communication between SecureID and FW cluster. The same recommendations as for step 3 above, just for SecureID and not RADIUS.

0 Kudos

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Thank You.

One missundersanding here just to clarify:

In EndPoint VPN client we have the following three fields (when chosen securID HW token-as customer has/wants):

vpn client fields

We configured in Smart Dashboard only one factor: securID.

Are these all three fields regarding this securID auth sheme chosen in Smart Dashboard?

username confuses me a lot here Smiley Happy

0 Kudos

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Tokens are assigned to particular users, aren't they? Username still stands. 

0 Kudos

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

I can not remove a PIN option/field from CheckPoint EndPoint VPN client  (when securID chosen).

On RSA side (auth.manager/server) a token is stick with a username (user) and after that PIN is connected with token. 

Theory should be clear. Smiley Happy

But for some reason zero packets are sent to RSA auth.manager when RAVPN connection is

made (fwmonitor- no packets captured). And vpn debug logs whos wrong username/password (like that there is chosen in VPNclients>>>auth>>>user/pass). I have chosen secureID as auth sheme, not username pass.

A customer on RSA side has configured CheckPoint agent host like:

RSA side CP agent configuration

This hostname I am not sure is it correct (a customer put CheckPoint). 

0 Kudos

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

10.10.7.1 is VIP od CheckPoint Cluster (2x5200 R77.30 GW's)

0 Kudos

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Okay, so your problem is that the request is not sent to SecureID server. After timeout you have auth error, of course. Check config on MGMT (Objects, IPs and Auth server details) and GW (sdconf, etc) side and of course, make sure FW is not dropping its own traffic to RSA. 

If you are lost, it does not hurt to open a support request.

0 Kudos

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

CheckPoint cluster and RSA auth. server have full network visibility (all services are allowed). 

I opened a ticked/Service request but with no luck (CP did not conclude what is the catch).

Do i need to perform CPSTOP and CPSTART to make this work?

0 Kudos

Re: RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Hi, you able to resolve the issue?

0 Kudos