Creating a User Account with SecurID Authentication

SecurID requires users to both possess a token authenticator and to supply a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA Authentication Manager (AM) and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices. Software tokens reside on the PC or device from which the user wants to authenticate. All tokens generate a random, one-time use access code that changes approximately every minute. When a user attempts to authenticate to a protected resource, the one-time use code must be validated by the AM.

The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. forwards authentication requests by remote users to the AM. The AM manages the database of RSA users and their assigned hard or soft tokens. The Security Gateway acts as an AM agent and directs all access requests to the AM for authentication. For more information on agent configuration, refer to RSA Authentication Manager documentation. There are no specific parameters required for the SecurID authentication method. Authentication requests can be sent over SDK-supported API or through REST API.

After you configure SecurID authentication, you can, in addition, configure authentication with a certificate file. The user can then authenticate to the Security Gateway with the SecurID or the certificate file.

To configure SecurID authentication for users:

1. Configure the API to send authentication requests

   You can select to enable one of two API types:

   • SDK-supported API

     A proprietary API that uses a proprietary communication protocol on UDP port 5500 through SDKs available for selected platforms.

     To enable SecurID authentication over SDK-supported API

     1. Create the sdconf.rec file on an ACE/Server and copy it to your computer.

        For details, refer to the RSA documentation.

        Important - Use the IP address of a Security Gateway interface that connects to the ACE/Server: For a specific Security Gateway – Configure the IP address as the authentication agent. For a Cluster – Configure these IP addresses as authentication agents: Physical IP address of each Cluster Member Security Gateway that is part of a cluster. and Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Virtual IP address. For a VSX Virtual System on a specific VSX Gateway – Configure these IP addresses as authentication agents: IP address of the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. and IP address of the Virtual System. For a VSX Virtual System on VSX Cluster – Configure these IP addresses as authentication agents: Cluster Virtual IP address of the VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster and Cluster Virtual IP address of the Virtual System.

     2. Open the SecurID object in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Browse and import the sdconf.rec file into the SecurID object.

     3. Install policy.

        Note - During the policy installation, the sdconf.rec file is transferred the Security Gateway to /var/ace/sdconf.rec.

   • REST API

     To enable SecurID authentication over REST API

     1. Connect to the command line on the Security Gateway.

     2. Log in to the Expert mode.

     3. On a VSX Gateway or VSX Cluster Member, go to the context of VSID 0:

        vsenv 0

     4. Back up the current $CPDIR/conf/RSARestServer.conf file:

        cp -v $CPDIR/conf/RSARestServer.conf{,_BKP}

     5. Edit the $CPDIR/conf/RSARestServer.conf file.

        Fill in these fields:

        • host - The configured host name of the RSA server.

        • port, client key, and accessid - From the RSA SecurID Authentication API window.

        • certificate - The name of the certificate file.

     6. Save the changes in the file and exit the editor.

   Note - If you do not complete the REST API configuration, the authentication is performed through the SDK-supported API.

2. Configure user groups

   1. In SmartConsole, open the Object Explorer (F11).

   2. Click New > More > User/Identity > User Group.

      The New User Group window opens.

   3. Enter the name of the group, for example SecurID_Users.

      Make sure the group is empty.

   4. Click OK.

   5. Publish the SmartConsole session.

   6. Install the policy.

3. Create a new user and define SecurID as the authentication method

   This configuration procedure is different for internal users (that are defined in SmartConsole) and for external users.

   To configure SecurID authentication settings for internal users

   Internal users are users that you configure in SmartConsole. The Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. keeps these users in the management database.

   1. In SmartConsole, open the Object Explorer (F11).

   2. Click New > More > User/Identity > User.

      The New User window opens.

   3. Choose a template.

   4. Click OK.

   5. In the General page:

      • Enter a default Name. This name is used to authenticate users by the Authentication Manager.

      • Set the Expiration date.

   6. In the Authentication page, from the Authentication Method drop-down list, select SecurID.

   7. Click OK.

   To configure SecurID authentication settings for external users

   External users are users that are you configure the Legacy SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings.. The Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. does not keep these users in the management database.

   1. In SmartConsole, click Manage & Settings > Blades.

   2. In the Mobile Access section, click Configure in SmartDashboard.

      Legacy SmartDashboard opens.

   3. In the bottom left Network Objects pane, and click Users.

      

   4. Right-click on an empty space and select the applicable option:

      • If you support only one external authentication scheme, select New > External User Profile > Match all users.

      • If you support more than one external authentication scheme, select New > External User Profile > Match by domain.

   5. Configure the External User Profile properties:

      1. General Properties page:

         • If selected Match all users, then configure:

           • In the External User Profile name field, leave the default name generic*.

           • In the Expiration Date field, set the applicable date.

         • If selected Match by domain, then configure:

           • In the External User Profile name field, enter the applicable name. This name is used to authenticate users by the Authentication Manager.

           • In the Expiration Date field, set the applicable date.

           • In the Domain Name matching definitions section, configure the applicable settings.

      2. Authentication page:

         From the Authentication Scheme drop-down list, select SecurID.

      3. Click OK.

   6. From the top toolbar, click Update (or press the CTRL S keys).

   7. Close the Legacy SmartDashboard.

4. Complete the SecurID authentication configuration

   1. Make sure that connections between the Security Gateway and the Authentication Manager are not NATed in the Address Translation Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..

      On a Virtual System, follow the instructions in sk107281.

   2. Save, verify, and install the policy in SmartConsole.

   When a Security Gateway has multiple interfaces, the SecurID agent on the Security Gateway sometimes uses the wrong interface IP to decrypt the reply from the Authentication Manager, and authentication fails.

   To overcome this problem, place a new text file, named sdopts.rec in the same directory as sdconf.rec.

   The file should contain this line:

   CLIENT_IP=<IP Address>

   Where <IP Address> is the primary IP address of the Security Gateway, as defined on the Authentication Manager. This is the IP address of the interface, to which the server is routed.

   Example:

   CLIENT_IP=192.168.20.30

   Note - On a VSX Gateway and VSX Cluster Members, you must create the same sdopts.rec file in the context VSID 0 and in the context of each applicable Virtual System.