Working with Authentication
Authentication Schemes
Authentication schemes employ user names and passwords to identify valid users.
Some schemes are maintained locally, storing user names and passwords on the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0., while others store authentication information on an external authentication server.
Some schemes, such as SecurID, are based on providing a one-time password.
For more information, see the R81.10 Security Management Administration Guide > Section Configuring Authentication Methods for Users.
Check Point password is a static password that is configured in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. For administrators, the password is stored in the local database on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.. For users, it is stored on the local database on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. No additional software is required.
OS Password is stored on the operating system of the computer on which the Security Gateway(for users) or Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. (for administrators) is installed. You can also use passwords that are stored in a Windows domain. No additional software is required.
Remote Authentication Dial-In User Service (RADIUS) is an external authentication method that provides security and scalability by separating the authentication function from the access server.
Using RADIUS, the Security Gateway forwards authentication requests by remote users to the RADIUS server. For administrators, the Security Management Server forwards the authentication requests. The RADIUS server, which stores user account information, does the authentication.
The RADIUS protocol uses UDP to communicate with the gateway or the Security Management Server.
RADIUS servers and RADIUS server group objects are defined in SmartConsole.
Terminal Access Controller Access Control System (TACACS) provides access control for routers, network access servers and other networked devices through one or more centralized servers.
TACACS is an external authentication method that provides verification services. Using TACACS, the Security Gateway forwards authentication requests by remote users to the TACACS server. For administrators, it is the Security Management Server that forwards the requests. The TACACS server, which stores user account information, authenticates users. The system supports physical card key devices or token cards and Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). secret key authentication. TACACS encrypts the user name, password, authentication services and accounting information of all authentication requests to ensure secure communication.
SecurID requires users to both possess a token authenticator and to supply a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA Authentication Manager (AM) and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices, while software tokens reside on the PC or device from which the user wants to authenticate. All tokens generate a random, one-time use access code that changes approximately every minute. When a user attempts to authenticate to a protected resource, the one-time use code must be validated by the AM.
Using SecurID, the Security Gateway forwards authentication requests by remote users to the AM. For administrators, it is the Security Management Server that forwards the requests. The AM manages the database of RSA users and their assigned hard or soft tokens. The Security Gateway or the Security Management Server act as an AM agent and direct all access requests to the RSA AM for authentication. For additional information on agent configuration, refer to RSA Authentication Manager documentation.
There are no specific parameters required for the SecurID authentication method. Authentication requests can be sent over SDK-supported API or through REST API.
There are no specific parameters required for the SecurID authentication method.
Configuring SecurID Authentication
See the R81.10 Security Management Administration Guide > Chapter Managing User and Administrator Accounts > Section Managing User Accounts > Section SecurID Authentication for Security Gateway.
Configuring RADIUS or TACACS Authentication
These are the options to enable connectivity between Virtual Systems and a RADIUS or TACACS/TACACS+ server:
-
Shared configuration: All authentication servers are accessible by all Virtual Systems through the VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway. This is the default option.
-
Private configuration: Authentication servers are accessed directly by the Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS. and use the Virtual System cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. IP address as the source address.
For Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. configurations, make sure that you configure the SecurID or Remote Authentication settings of the Domain Management Server that manages the Virtual Systems.
Configure shared authentication so that all the Virtual Systems on the VSX Gateway authenticate to the remote RADIUS or TACACS/TACACS+ server.
To configure shared authentication for RADIUS or TACACS/TACACS+:
-
Configure shared authentication on the Virtual Systems.
-
Connect with SmartConsole to the Management Server.
-
From the left navigation panel, click Gateways & Servers.
-
Double-click the Virtual System object.
The Virtual Systems General Properties window opens.
-
From the navigation tree, select Other > Authentication.
-
Make sure that RADIUS or TACACS and Shared are selected.
-
Click OK.
-
Install the policy on the Virtual Systems.
Repeat these Steps for each Virtual System.
-
-
For a VSX Cluster:
On the Management Server that manages this VSX Cluster, make sure that Hide NAT is disabled.
On Multi-Domain Server, work in the context of the Target Domain Management Server that manages the Virtual System.
-
Edit the applicable
table.def
file. See sk98339. -
Make sure that the
no_hide_services_ports
parameter contains the UDP ports for RADIUS or TACACS, or the TCP ports for TACACS+.The default ports are:
-
RADIUS - 1645
-
TACACS/TACACS+ - 49
Sample RADIUS parameter with Hide NAT disabled:
no_hide_services_ports = { <49, 6>, <49, 17>, <500, 17>, <259, 17>, <1701, 17>, <123, 17>, <1645, 17> };
-
-
Save the changes in the file and exit the editor.
-
In SmartConsole, install the policy on the Virtual Systems.
-
For private configurations, the active and standby Virtual Systems use the same encryption key to authenticate to the remote RADIUS or TACACS/TACACS+ server.
For High Availability configurations, make sure that the Active and Standby Virtual Systems on each VSX Cluster Member Security Gateway that is part of a cluster. use the same VIP address.
To configure private authentication:
-
Configure private authentication on the VSX Gateway and the Virtual Systems.
-
Connect with SmartConsole to the Management Server.
-
From the left navigation panel, click Gateways & Servers.
-
Double-click the VSX Gateway object.
The General Properties view opens.
-
From the navigation tree, select Other > Legacy Authentication.
-
Make sure that RADIUS or TACACS are selected.
-
Click OK.
-
From SmartConsole, install the Access Control Policy on the Virtual System.
Repeat these steps for each Virtual System.
-
-
For VSX Cluster:
On the Management Server that manages this VSX Cluster, make sure that Hide NAT is enabled.
For Multi-Domain Server, use the Domain Management Server that manages the Virtual System.
-
Edit the applicable
table.def
file (see sk98339) in a plain-text editor. -
Make sure that the
no_hide_services_ports
parameter DOES NOT contain the UDP ports for RADIUS or TACACS, or the TCP ports for TACACS+.The default ports are:
-
RADIUS - 1645
-
TACACS/TACACS+ - 49
Sample parameter with Hide NAT enabled:
no_hide_services_ports = { <500, 17>, <259, 17>, <1701, 17>, <123, 17> };
-
-
Save the changes in the file and exit the editor.
-
From SmartConsole, install the Access Control Policy on each Virtual System.
-