Documente Academic
Documente Profesional
Documente Cultură
Firewall / VPN
Partner Information
Product Information
Partner Name
Web Site
Product Name
Version & Platform
Product Description
Check Point
Firewall / VPN
Solution Summary
The Check Point software solution is a comprehensive VPN and Firewall providing RSA SecurID two
factor authentication connectivity to corporate networks, remote and mobile users, and satellite offices.
RSA SecurID supported features
Check Point Software Blades R75.40
RSA SecurID Authentication via Native RSA SecurID Protocol
RSA SecurID Authentication via RADIUS Protocol
On-Demand Authentication via Native SecurID Protocol
On-Demand Authentication via RADIUS Protocol
RSA Authentication Manager Replica Support
Secondary RADIUS Server Support
RSA SecurID Software Token Automation
RSA SecurID SD800 Token Automation
RSA SecurID Protection of Administrative Interface
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
-2-2-22
Check Point
Firewall / VPN
Hostname
IP Addresses for network interfaces
Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by
the RSA Authentication Manager to determine how communication with Check Point Software Blades will
occur.
A RADIUS client that corresponds to the Authentication Agent must be created in the RSA Authentication
Manager in order for Check Point Software Blades to communicate with RSA Authentication Manager.
RADIUS clients are managed using the RSA Security Console.
The following information is required to create a RADIUS client:
Hostname
IP Addresses for network interfaces
RADIUS Secret
Note: Hostnames within the RSA Authentication Manager / RSA SecurID
Appliance must resolve to valid IP addresses on the local network.
Please refer to the appropriate RSA documentation for additional information about creating, modifying
and managing Authentication Agents and RADIUS clients.
Location
/var/ace, %SystemRoot%\system32\
/var/ace, System Registry
/var/ace
Not implemented
-3-
Check Point
Firewall / VPN
Overview
This guide provides configuration information for RSA SecurID native as well as RSA RADIUS
Authentication to challenge users in a Check Point environment. The Firewall/VPN and Remote Access
Client require multiple configuration steps. The guide is organized as follows:
Configure a User
Create the default external user profile to use RSA SecurID authentication.
-4-
Check Point
Firewall / VPN
4.
5.
6.
The Check Point Firewall/VPN uses the sdconf.rec file to locate the RSA Authentication Manager Servers.
Retrieve the sdconf.rec file from the RSA Security Console.
Launch the Check Point SmartDashboard application with an administrator account.
Navigate to Manage > Servers and OPSEC Applications > New > SecurID.
-5-
Check Point
Firewall / VPN
7.
If you selected RADIUS the RADIUS Properties window will open. Add the Name, Host and Shared Secret.
8.
Repeat this to add any secondary RADIUS servers. Then from the Servers and OPSEC window select New >
RADIUS Group and create a RADIUS Group.
Note : Additional steps are needed to configure the Check Point for
RADIUS. Refer to Appendix B. of this document.
-6-
Check Point
Firewall / VPN
Select the Firewall tab in the main window panel. Go to the left tool bar and navigate to Network Objects >
Check Point > (your object) Right click on your object and select Edit.
2.
3.
4.
From the General Propertied screen select IPSec VPN > Authentication from the left tool bar.
Select the RADIUS group or the SecurID server from the pull down you previously defined.
Click OK to save changes.
5.
6.
After a user account is defined create a rule and install the Policy.
Save the setting and verify that a connection is successful.
-7-
Check Point
Firewall / VPN
Configure a User
In this section a user will be created that will authenticate to the RSA Authentication Manager Servers.
This user can be configured to authenticate via either SecurID or RADIUS.
1.
2.
3.
4.
Go to Manage > Users and Administrators > New > User By Template > Default.
Enter the username as it appears in the default login field within the RSA Authentication Manager database.
Select Authentication from the left hand tool bar.
From the drop down box choose either SecurID or RADIUS as the users Authentication Scheme.
5.
-8-
Check Point
Firewall / VPN
Match by Domain
The Match by domain profile allows for more granularity in the user definition than is available with generic*.
With this profile users are differentiated by their domain name. When implemented the user types a domain
name as well as the username where any domain name can be allowed.
The steps below will configure an External Profile of Match All Users.
1.
2.
3.
4.
5.
Go to Manage > Users and Administrators > New > External User Profile > Match All Users.
The user generic* is created and a new window opens.
Select Authentication from the left tool bar.
From the drop down box choose SecurID or RADIUS as the users Authentication Scheme.
Click OK to save changes.
-9-
Check Point
Firewall / VPN
Once a rule is added and the policy is installed a user must be authenticated before access is granted to
the service.
1.
2.
3.
- 10 -
Check Point
Firewall / VPN
- 11 -
Check Point
Firewall / VPN
The sample rule below will provide for RSA SecurID Authentication for VPN Community members.
- 12 -
Check Point
Firewall / VPN
3.
4.
Set the Username, PIN and enter the current Tokencode. If no PIN is assigned leave the field blank and you
will be prompted to enter a new PIN.
- 13 -
Check Point
Firewall / VPN
Open the Check Point client by right-clicking on the icon and select VPN Options.
Select the site and Properties then the Settings tab.
3.
4.
- 14 -
Check Point
Firewall / VPN
Screens
Login screen:
- 15 -
Check Point
Firewall / VPN
Next Tokencode:
- 16 -
Check Point
Firewall / VPN
Certification Environment
Version Information
7.1SP4
4.1.1
3.5
R75.40
E75.30 EA2
Operating System
Windows 2003 SP2
Windows XP Professional (SP3)
Windows XP Professional (SP3)
Gaia
Windows XP Professional (SP3)
Mandatory Functionality
RSA Native Protocol
New PIN Mode
Force Authentication After New PIN
System Generated PIN
User Defined (4-8 Alphanumeric)
User Defined (5-7 Numeric)
Deny 4 and 8 Digit PIN
Deny Alphanumeric PIN
Deny Numeric PIN
Deny PIN Reuse
Passcode
16-Digit Passcode
4-Digit Fixed Passcode
Next Tokencode Mode
Next Tokencode Mode
On-Demand Authentication
On-Demand Authentication
On-Demand New PIN
Load Balancing / Reliability Testing
Failover (3-10 Replicas)
No RSA Authentication Manager
RADIUS Protocol
Force Authentication After New PIN
System Generated PIN
User Defined (4-8 Alphanumeric)
User Defined (5-7 Numeric)
Deny 4 and 8 Digit PIN
Deny Alphanumeric PIN
Deny Numeric PIN
Deny PIN Reuse
16-Digit Passcode
4-Digit Fixed Passcode
Next Tokencode Mode
On-Demand Authentication
On-Demand New PIN
Failover
No RSA Authentication Manager
GLS
= Pass
- 17 -
Check Point
Firewall / VPN
PINless Token
PINpad-style Token
Fob-style Token
16-Digit Passcode
Alphanumeric PIN
New PIN Mode
Next Tokencode Mode
Password-Protected Token
PINless Mode
14-Digit Passcode
New PIN Mode
Next Tokencode Mode
GLS
= Pass
- 18 -
Check Point
Firewall / VPN
Known Issues
On Demand Authentication
On Demand Authentication may not behave as expected with Check Point. This release does not enforce
authentication after a new pin is set via Native SecurID. This issue does not apply to RADIUS.
Therefore, the On Demand feature via Native SecurID when in New Pin mode will authenticate a user
without the user ever entering a tokencode. This is effectively a single factor authentication. This is not
an issue once the user sets the pin.
Software Tokens
Check Point Remote Access Clients up to E75.20 does not work with RSA software token v4.1.
Resolution: Please download the Remote Access Client E75.30 (or E75.30 EA2 from the Early
Availability program) from Check Point Support site.
Appendix A
Node Secret:
1.
2.
3.
4.
To clear the node secret from a Window host launch regedit from the run utility.
Navigate the left hand tool bar to HKEY_LOCAL_MACHINE/Software/ACECLIENT.
Select Node Secret and delete it.
Reboot the PC.
Appendix B
RADIUS Configuration
To configure the Check Point for RADIUS perform the following steps from the Check Point SmartDashboard.
1. Select Manage > Servers and OPSEC Applications.
2. Select New > RADIUS.
3. Enter the Name of the RADIUS connection.
4. Enter the Host of the RADIUS Host.
5. Enter the Shared Secret to match the RSA Authentication Manager.
6. Select the service type of New-RADIUS to use port 1812
7. Click OK to close the RADIUS Properties window.
8. Click Close to exit the Servers and OPSEC Applications window.
9. Select Manage > User and Administrators
10. Edit the generic* user account.
11. Select Authentication from the left tool bar and change the Authentication Scheme to RADIUS.
12. Select the RADIUS Server or Group of Servers setting to the RADIUS Connection created in step 3.
13. Exit the User Profile Properties window.
13. Select Policy > Global Properties.
14. Select SmartDashboard Customization from the list of options.
15. Under the Advanced Configuration option select the Configure button.
16. Select FireWall-1 > Authentication>RADIUS from the left tool bar.
17. Modify the radius_ignore setting changing the default value of 0 to 76.
18. Save the settings and select Policy > Install from the SmartDashboard.
19. Complete the configuration by selecting OK to install the policy.
- 19 -
Check Point
Firewall / VPN
Appendix C
Check Point Remote Access Clients
(see Check Point SecureKnowledge solution sk61286)
Feature
Endpoint Security
VPN
SecuRemote
Client Purpose
Basic secure
connectivity
Replaces Client
- 20 -