AnsweredAssumed Answered

RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Question asked by Milos Jovovic on Jul 17, 2018
Latest reply on Jul 18, 2018 by Milos Jovovic

Hello Team,


I was going through integration of securID RSA Auth. Manager with CheckPoint Cluster (2x5200 NGGW's with 77.30 Gaia on it).


Made one object for checkpoint agent on RSA auth. manager console (with ip of CP cluster). What name i have to put here? There is written to put name of securID agent object in CheckPoint smart dashboard. What is that name (securID server object? or someting else?). 


name of rsa agent object


I have configured External user profile with match-all-users option (is this correct? we need to forward all auth request to RSA Auth. manager. In CheckPoint endpoint security vpn client we have three fields (username, PIN and token)). We have one passphrase (PIN and token), for one user. Is this only one factor or two? I am confused here. 

external user group - generic*

I have configured this external user group to be part of new user group securid_user_grupa:

external user profile as part of user group

I have put authentication sheme securid for this external user profile:

external user profile authentication sheme


I have put this user group in remote access community for RAVPN connections:

remoteaccess community with securid user group in it


I have put the same sdconf.rec file on both gw's in cluster (active and standby) on path /var/ace/

Installed policy and authentication does not work, zero packets going from CP cluster to RSA auth. manager.

In vpn debug log files there is error “Access denied - wrong user name or password”.

It is like CP tries to authenticate users in internal user database in MGMT server.

I off course put in GW>>>VPNClient>Auth.>>>auth sheme to securID (chose securID server object).


Do I have to do cpstop/cpstart on gw's to make this work?


Eny suggestion? Maybe I have to change in external user profile type to match by domain?

external user profile details

Do i have to check this box omit domain name when auth. users?


Thanks Everyone for help.


Any help would be appreciated a lot.