- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Re: Connection to VPN server from Linux with Secur...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Connection to VPN server from Linux with SecureID
Hi,
I have a customer who gave us access to their system using something some CheckPoint Software with SecureID (username and secureId, no Password as far as we understand). How can we connect to these system from Linux?
We could not find any VPN client for linux on CheckPoint website
It looks like we get secureId code using stoken software so that should be OK.
If going to their VPN server 87.238.64.1 then there is some login popup but they require some java plugins which are now deprecated in all existing browsers so this is not a working solution
The page also allows to start a program called snx
snx -h
Check Point's Linux SNX
build 800008061
usage: snx -s <server> {-u <user>|-c <certfile>} [-l <ca dir>] [-p <port>] [-r] [-g] [-e <cipher>]
run SNX using given arguments
snx -f <cf> run the snx using configuration file
snx run the snx using the ~/.snxrc
snx -d disconnect a running SNX daemon
-s <server> connect to server <server>
-u <user> use the username <user>
-c <certfile> use the certificate file <certfile>
-l <ca dir> get trusted ca's from <ca dir>
-p <port> connect using port <port>
-g enable debugging
-e <cipher> SSL cipher to use: RC4 or 3DES
But snx does not seem to allow using securId authentication
We also tried the standard Linux cisco VPN client: openconnect but it fails with some error XML response has no "auth" node
Soft token init was successful.
Soft token init was successful.
POST https://87.238.64.1/
Attempting to connect to server 87.238.64.1:443
Connected to 87.238.64.1:443
SSL negotiation with 87.238.64.1
Server certificate verify failed: signer not found
Connected to HTTPS on 87.238.64.1
Got HTTP response: HTTP/1.0 404 Not Found
Date: Fri, 31 Aug 2018 13:47:25 GMT
Server: Check Point SVN foundation
Content-Type: text/html
X-UA-Compatible: IE=EmulateIE7
Connection: close
X-Frame-Options: SAMEORIGIN
Last-Modified: Wed, 28 May 2014 09:11:07 GMT
Content-Length: 204
HTTP body length: (204)
Unexpected 404 result from server
GET https://87.238.64.1/
Attempting to connect to server 87.238.64.1:443
Connected to 87.238.64.1:443
SSL negotiation with 87.238.64.1
Server certificate verify failed: signer not found
Connected to HTTPS on 87.238.64.1
Got HTTP response: HTTP/1.0 200 OK
Date: Fri, 31 Aug 2018 13:47:26 GMT
Server: Check Point SVN foundation
Content-Type: text/html
X-UA-Compatible: IE=EmulateIE7
Connection: close
X-Frame-Options: SAMEORIGIN
Content-Length: 11788
HTTP body length: (11788)
XML response has no "auth" node
So what is the official way to connect to a VPN server using securid from Linux?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I read the internal comments in "Authentication failed" error presented when user tries to connect to site using SNX CLI mode in Lin..., and it turns out: the SK is correct.
Just to clarify for Olivier Roulet-Dubonnet:
- If the customer is using Mobile Access Blade (which is sounds like they are), SNX via CLI is only supported on specific builds of the SNX client and specific versions of the gateway. Your customer will have to work with the local Check Point office for additional details and a possible RFE.
- If the customer is NOT using Mobile Access Blade, then SNX over CLI is supported.
If the customer deploys the patches here, then you will be able to use the Mobile Access portal (but not the CLI) to connect: Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only supported VPN client on Linux is SNX, which does require Java, and yes, many browsers have deprecated support for this.
To activate SNX from the Mobile Access portal (which definitely supports SecurID), your customer should apply the fix described here: Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology
We do not support using the Cisco client to connect to our gateways.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the quick answer.
What browser support Java these days?
And is there any way to user secureid from the snx command line? None of the options seems to indicate it, as seen in the output in report.
Thanks
Olivier
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm sure there is some browser out there that still supports it, but the common cross-platform ones do not
Theoretically, you should just be able to use the PIN + SecurID token number as the password on the CLI.
If you require some other password to sign in in addition to this, then I'm afraid there is no way to do it using the CLI and you must authenticate using the Mobile Access Portal.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you again!
Pin + secureid on one line as password?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pretty sure that will work, as that's exactly how you would enter it in the browser.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
unfortunately that does not work, it is also a bit surprising because If I try to log into the gui there is field called secureid. If I let the password empty and write the secureid number in the secureid field then I get a window telling me that I am connected (If I write my pin as password I get an access denied error). No VPN connection is created because I could not find any browser supporting java yet... but this really looks like my token and config is correct
So its looks like the web solution does not require any password/pin but if I run snx from command line I get access denied with PIN and PIN + tokenid and tokenid.... If the java stuff calles snx in the background thenhow is it sending the PIN? Can i emulate it using command line?
Olivier
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to sk115242 "Authentication failed" error presented when user tries to connect to site using SNX CLI mo...you need SNX build 800007075 for MAB use - this can be found in sk90240 SSL Network Extender E75 CLI Support for Mobile Access Blade.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Version is
snx ver
a username or a certificate were not supplied
Check Point's Linux SNX
build 800008061
That seems to be over the version adviced in this PR. Althoug there is not ver option
snx ver
a username or a certificate were not supplied
Check Point's Linux SNX
build 800008061
usage: snx -s ] [-e SSL cipher to use: RC4 or 3DES
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you are using the wrong version and SNX CLI can not work 😞 The customer is using an unsupported SNX build for Linux CLI connection (not SNX build 800007075).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK. And where do I get that special version? You have a link above but I click on it it says:
"""
- SSL Network Extender does not connect to Mobile Access blade via client CLI in Linux and Mac OS X.
To view this solution, Advanced access is required. Click here to learn more about our Support Programs and Plans . |
"""
The customer website https://87.238.64.1/ gives a link to download snx, why is this a non working version? And how can I get that working version?
Thank you
Olivier
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This can be accomplished by involving TAC!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you see more than one "password" prompt, it maybe that your customer has multifactor authentication enabled on the gateway.
If this is the case, the command line SNX client will not work (regardless of version) and your only option is to authenticate with a web browser.
As far as I know the functionality in that special version has been rolled into current versions anyway.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you get that confirmed ? If this is true, sk115242 should be changed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably worth a comment in the SK.
I'll ask.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, especially as sk115242 speaks of RFE 😉
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I read the internal comments in "Authentication failed" error presented when user tries to connect to site using SNX CLI mode in Lin..., and it turns out: the SK is correct.
Just to clarify for Olivier Roulet-Dubonnet:
- If the customer is using Mobile Access Blade (which is sounds like they are), SNX via CLI is only supported on specific builds of the SNX client and specific versions of the gateway. Your customer will have to work with the local Check Point office for additional details and a possible RFE.
- If the customer is NOT using Mobile Access Blade, then SNX over CLI is supported.
If the customer deploys the patches here, then you will be able to use the Mobile Access portal (but not the CLI) to connect: Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology