Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Milos_Jovovic
Contributor

RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Hello Team,

I was going through integration of securID RSA Auth. Manager with CheckPoint Cluster (2x5200 NGGW's with 77.30 Gaia on it).

Made one object for checkpoint agent on RSA auth. manager console (with ip of CP cluster). What name i have to put here? There is written to put name of securID agent object in CheckPoint smart dashboard. What is that name (securID server object? or someting else?). 

name of rsa agent object

I have configured External user profile with match-all-users option (is this correct? we need to forward all auth request to RSA Auth. manager. In CheckPoint endpoint security vpn client we have three fields (username, PIN and token)). We have one passphrase (PIN and token), for one user. Is this only one factor or two? I am confused here. 

external user group - generic*

I have configured this external user group to be part of new user group securid_user_grupa:

external user profile as part of user group

I have put authentication sheme securid for this external user profile:

external user profile authentication sheme

I have put this user group in remote access community for RAVPN connections:

remoteaccess community with securid user group in it

I have put the same sdconf.rec file on both gw's in cluster (active and standby) on path /var/ace/

Installed policy and authentication does not work, zero packets going from CP cluster to RSA auth. manager.

In vpn debug log files there is error “Access denied - wrong user name or password”.

It is like CP tries to authenticate users in internal user database in MGMT server.

I off course put in GW>>>VPNClient>Auth.>>>auth sheme to securID (chose securID server object).

Do I have to do cpstop/cpstart on gw's to make this work?

Eny suggestion? Maybe I have to change in external user profile type to match by domain?

external user profile details

Do i have to check this box omit domain name when auth. users?

Thanks Everyone for help.

Any help would be appreciated a lot.

0 Kudos
14 Replies
Milos_Jovovic
Contributor

RSA agent host (CPGW cluster) name doubt from RSA guide:

rsa CP agent host

0 Kudos
Milos_Jovovic
Contributor

Anybody to help? Smiley Happy

0 Kudos
_Val_
Admin
Admin

Hi Milos,

I assume you went through the RA VPN Admin Guide and still cannot find the solution to work. 

There are quite a few step by step tutorials out there, such as this one or that one. Both are quite old, so screenshots and parameters might be looking a bit different with the version you are using. 

The flow you have described above seems legit, but I suggest you go over the links I am giving you, just in case. If all the configuration details are good, you might need to start troubleshooting.

I advise you the following troubleshooting flow:

1. Make sure basic VPN auth is working for you. To do so, add a local test user account on your management, put it into the VPN auth scheme and check it can authenticate and establish a RA VPN.

2. Repeat the same test with a RADIUS user.

3. If it is still not working for you, check the following:

   a. Connectivity to RADIUS auth server from FW. Make sure FW can reach RADIUS server without an issue. 
   b. Run a trace during authentication request between FW and RADIUS server. Make sure RADIUS responds.

   c. What is the response? If auth error, look at the RADIUS logs to see why it was rejected. 
   d. How FW is talking to RADIUS? Since it is a cluster, does it use VIP or physical IP? Check that RADIUS server does not reject FW request because of IP mismatch.

If this does not help, let me know.

0 Kudos
Milos_Jovovic
Contributor

Thank You Valeri,

RAVPN works as a charm with cp user/pass. 

We do not need radius, customer wants only securID (UDP agent -UDP5500 port uses).

_Val_
Admin
Admin

Okay, sorry for that mistake.
However, the troubleshooting steps stand. I can see you are using this RSA user guide to configure your system. Assuming you did the configuration as described there on both sides, look into inter-communication between SecureID and FW cluster. The same recommendations as for step 3 above, just for SecureID and not RADIUS.

0 Kudos
Milos_Jovovic
Contributor

Thank You.

One missundersanding here just to clarify:

In EndPoint VPN client we have the following three fields (when chosen securID HW token-as customer has/wants):

vpn client fields

We configured in Smart Dashboard only one factor: securID.

Are these all three fields regarding this securID auth sheme chosen in Smart Dashboard?

username confuses me a lot here Smiley Happy

0 Kudos
_Val_
Admin
Admin

Tokens are assigned to particular users, aren't they? Username still stands. 

0 Kudos
Milos_Jovovic
Contributor

I can not remove a PIN option/field from CheckPoint EndPoint VPN client  (when securID chosen).

On RSA side (auth.manager/server) a token is stick with a username (user) and after that PIN is connected with token. 

Theory should be clear. Smiley Happy

But for some reason zero packets are sent to RSA auth.manager when RAVPN connection is

made (fwmonitor- no packets captured). And vpn debug logs whos wrong username/password (like that there is chosen in VPNclients>>>auth>>>user/pass). I have chosen secureID as auth sheme, not username pass.

A customer on RSA side has configured CheckPoint agent host like:

RSA side CP agent configuration

This hostname I am not sure is it correct (a customer put CheckPoint). 

0 Kudos
Milos_Jovovic
Contributor

10.10.7.1 is VIP od CheckPoint Cluster (2x5200 R77.30 GW's)

0 Kudos
_Val_
Admin
Admin

Okay, so your problem is that the request is not sent to SecureID server. After timeout you have auth error, of course. Check config on MGMT (Objects, IPs and Auth server details) and GW (sdconf, etc) side and of course, make sure FW is not dropping its own traffic to RSA. 

If you are lost, it does not hurt to open a support request.

0 Kudos
Milos_Jovovic
Contributor

CheckPoint cluster and RSA auth. server have full network visibility (all services are allowed). 

I opened a ticked/Service request but with no luck (CP did not conclude what is the catch).

Do i need to perform CPSTOP and CPSTART to make this work?

0 Kudos
Aldwin_Aquino
Explorer
Explorer

Hi, you able to resolve the issue?

0 Kudos
DanielAmlung
Participant

I would like to push this Topic - i also do have issues with my RSA connections.We replaced our gateways with new hardware and installed R80.30. I cleared node secret for both agents and downloaded the sdconf.rec file from the rsa server. Then copied the file to /var/ace and also changed rights on that file to 777

Its the same setup as descriped and also the same error messages in

vpnd log "[ACE5] au_sd_ace_io_trigger(au=a00e650): ** USER/PW DENIED BY ACE **"

client log "IKE connection failed, error code=-1000. Reason: Access denied - wrong user name or password"

 

RSA real time monitor has the following output:

Log Level: ERROR

Activity Key: Principal authentication

Description: User "XXX" attempted to authenticate using authenticator "SecureID_Native". The user belongs to security domain "SystemDomain"

Result: Authentication method failed

 

0 Kudos
DanielAmlung
Participant

I found a solution for my problem: as suggested here in the Admin Guide "https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SecurityManagement_AdminGuid..." add the file "sdopts.rec" to the /var/ace folder. The file should contain the CLIENT_IP=(ip) line, where (ip) is the primary IP address of the Security Gateway, as defined on the ACE/Server. This is the IP address of the interface to which the server is routed.

I did that before and it didnt work - after somedays i found a blog post where its written that you need to a space between = and the IP address - CLIENT_IP= (IP) - This did the trick and authentication now works!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events