Working with Authentication

Authentication Schemes

Authentication schemes employ user names and passwords to identify valid users.

Some schemes are maintained locally, storing user names and passwords on the VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0., while others store authentication information on an external authentication server.

Some schemes, such as SecurID, are based on providing a one-time password.

For more information, see the R81.10 Security Management Administration Guide > Section Configuring Authentication Methods for Users.

Configuring RADIUS or TACACS Authentication

These are the options to enable connectivity between Virtual Systems and a RADIUS or TACACS/TACACS+ server:

Option

Description

Shared configuration

All Virtual Systems connect to the RADIUS or TACACS/TACACS+ authentication servers through the VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway.

This is the default option.

Private configuration

All Virtual Systems connect to the RADIUS or TACACS/TACACS+ authentication servers directly.

The Virtual Systems use the Virtual SystemClosed Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS. clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. IP address as the source address.

For Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. configurations, make sure that you configure the authentication settings on the Domain Management Server that manages the Virtual Systems.

Configuring RSA SecurID Authentication

See the R81.10 Security Management Administration Guide > Chapter Managing User and Administrator Accounts > Section Managing User Accounts > Section SecurID Authentication for Security Gateway.

These are the options to enable connectivity between Virtual Systems and a SecurID ACE/Server (RSA Authentication Manager):

Option

Description

Shared configuration

All Virtual Systems on the VSX Gateway / VSX Cluster Member use the same encryption key file "sdconf.rec" to authenticate to the remote SecurID ACE/Server (RSA Authentication Manager).

In a VSX Cluster, each VSX Cluster Member uses a different encryption key file "sdconf.rec" and node secret file "securid".

For the MIP (Member IP) address, use the IP address of a VSX Gateway / VSX Cluster Member interface that connects to the SecurID ACE/Server (RSA Authentication Manager).

Private configuration

Each Virtual System uses unique encryption key file "sdconf.rec" and node secret file "securid" to authenticate to the remote SecurID ACE/Server (RSA Authentication Manager).

On a VSX Gateway - for the MIP (Member IP) address, use the IP address of the Virtual System interface that connects to the SecurID ACE/Server (RSA Authentication Manager).

On a VSX Cluster - for the MIP (Member IP) address, use the VIP (Virtual IP) address of the Virtual System interface that connects to the SecurID ACE/Server (RSA Authentication Manager).

On a Multi-Domain Server, make sure that you configure the authentication settings on the Domain Management Server that manages the Virtual Systems.