Creating a User Account with SecurID Authentication

SecurID requires users to both possess a token authenticator and to supply a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA Authentication Manager (AM) and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices. Software tokens reside on the PC or device from which the user wants to authenticate. All tokens generate a random, one-time use access code that changes approximately every minute. When a user attempts to authenticate to a protected resource, the one-time use code must be validated by the AM.

The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. forwards authentication requests by remote users to the AM. The AM manages the database of RSA users and their assigned hard or soft tokens. The Security Gateway acts as an AM agent and directs all access requests to the AM for authentication. For more information on agent configuration, refer to RSA Authentication Manager documentation. There are no specific parameters required for the SecurID authentication method. Authentication requests can be sent over SDK-supported API or through REST API.

After you configure SecurID authentication, you can, in addition, configure authentication with a certificate file. The user can then authenticate to the Security Gateway with the SecurID or the certificate file.

To configure SecurID authentication for users:

1. Configure the API to send authentication requests

   You can select to enable one of two API types:

   • SDK-supported API

     A proprietary API that uses a proprietary communication protocol on UDP port 5500 through SDKs available for selected platforms.

     To enable SecurID authentication over SDK-supported API

     1. Create the sdconf.rec file on an ACE/Server and copy it to your computer.

        For details, refer to the RSA documentation.

        Important - Use the IP address of a Security Gateway interface that connects to the ACE/Server: For a specific Security Gateway Configure the IP address as the authentication agent. For a Cluster Configure these IP addresses as authentication agents: Physical IP address of each Cluster Member Security Gateway that is part of a cluster. and Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Virtual IP address. For a VSX Virtual System on a specific VSX Gateway Configure these IP addresses as authentication agents: IP address of the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. and IP address of the Virtual System. For a VSX Virtual System on VSX Cluster Configure these IP addresses as authentication agents: Cluster Virtual IP address of the VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster and Cluster Virtual IP address of the Virtual System.

     2. Open the SecurID object in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Browse and import the sdconf.rec file into the SecurID object.

     3. Install the Access Control policy.

        Note - During the policy installation, the sdconf.rec file is transferred the Security Gateway to /var/ace/sdconf.rec.

   • REST API

     To enable SecurID authentication over REST API

     1. Connect to the command line on the Security Gateway.

     2. Log in to the Expert mode.

     3. On a VSX Gateway or VSX Cluster Member, go to the context of VSID 0:

        vsenv 0

     4. Back up the current $CPDIR/conf/RSARestServer.conf file:

        cp -v $CPDIR/conf/RSARestServer.conf{,_BKP}

     5. Edit the $CPDIR/conf/RSARestServer.conf file.

        vi $CPDIR/conf/RSARestServer.conf

        Fill in these fields:

        • host - The configured host name of the RSA server.

        • port, client key, and accessid - From the RSA SecurID Authentication API window.

        • certificate - The name of the certificate file.

     6. Save the changes in the file and exit the editor.

   Note - If you do not complete the REST API configuration, the authentication is performed through the SDK-supported API.

2. Configure user groups

   1. In SmartConsole, open the Object Explorer (F11).

   2. Click New > More > User/Identity > User Group.

      The New User Group window opens.

   3. Enter the name of the group.

      For example: SecurID_Users

      Make sure the group is empty.

   4. Click OK.

   5. Publish the SmartConsole session.

   6. Install the Access Control policy.

3. Create a new user and define SecurID as the authentication method

   This configuration procedure is different for internal users (that are defined in SmartConsole) and for external users.

   To configure SecurID authentication settings for internal users

   Internal users are users that you configure in SmartConsole. The Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. keeps these users in the management database.

   1. In SmartConsole, open the Object Explorer (F11).

   2. Click New > More > User/Identity > User.

      The New User window opens.

   3. Choose the applicable user template and click OK.

   4. In the top field, enter the applicable object name.

      This must be a unique, case sensitive character string.

      If you generate a user certificate with a non-Check Point Certificate Authority, enter the Common Name (CN) component of the Distinguished Name (DN).

      For example:

      If the DN is: CN = James, O = My Organization, C = My Country

      then enter James as the user name.

      If you use Common Names as user names, they must contain exactly one string with no spaces.

   5. Optional: Enter the comment.

   6. On the General page, configure the applicable settings:

      • Email address (optional)

      • Mobile phone number (optional)

      • Expire at

        This is the date, after which the user is no longer authorized to access network resources and applications.

   7. On the Groups page, you can select the applicable user group objects (in addition or instead those configured in the user template).

   8. On the Authentication page, in the Authentication method field, select SecurID.

   9. On the Location page:

      1. Configure the allowed sources from which this user can access or send data and traffic.

         These objects must already exist before you can select them.

      2. Configure the allowed destinations to which this user can access or send data and traffic.

         These objects must already exist before you can select them.

   10. On the Time page:

       If the user has specific working days or hours, you can configure when the user can be authenticated for access.

       • From and To - Enter start time and end time of an expected workday. This user will not be authenticated if a login attempt is made at a time outside the given range.

       • Days in week or Daily - Select the days on which the user can authenticate and access resources. This user will not be authenticated if a login attempt is made on an unselected day.

   11. On the Certificates page:

       You can configure the applicable certificates for this user for more secured access control.

       1. Click New.

       2. Select the applicable option:

          • Registration Key for certificate enrollment

            Sends a registration key that activates the certificate.

            1. Enter the number of days the user has to activate the certificate, before the registration key expires.

            2. Optional: Enter a comment.

            3. Optional: Click Template to preview the email template.

            4. Click Send.

            5. Click OK to save this key.

          • Certificate file (p12)

            Creates a *.p12 certificate file with a private password for the user.

            1. Enter and confirm the certificate password.

               A password is required to protect the sensitive data in the certificate file.

            2. Optional: Enter a comment.

            3. Click OK.

            4. Wait for the Save As window to open.

            5. In the File name field, make sure to include the username.

            6. In the Save as type field, select Certificate Files (*p12).

               The certificate file is in the PKCS #12 format, and has a .p12 extension.

            7. Browse to a secure location on the SmartConsole computer.

            8. Click Save.

            9. Give the user this file and password.

       3. Click OK.

       Notes: If a user will not be in the system for some time (for example, going on an extended leave), you can revoke the certificate. This leaves the user account in the system, but it cannot be accessed until you renew the certificate. To revoke a key / certificate, select the key / certificate and click Revoke.

   12. On the Encryption page:

       You can configure the IKEv2 authentication and encryption settings for Remote Access VPN.

       1. Select IKE.

       2. Click Edit.

          The encryption IKE Phase 2 Properties window opens.

       3. On the Authentication page, select the authentication schemes:

          1. Password - The user authenticates with a pre-shared secret password.

          2. Public Key - The user authenticates with a public key contained in a certificate file.

       4. On the Encryption page, there are no settings to configure.

          Youy configure these algorithms in SmartConsole > Global Properties > Remote Access > VPN - Authentication > section Encryption algorithms.

       5. Click OK.

   13. Click OK.

   To configure SecurID authentication settings for external users

   External users are users that are you configure the Legacy SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings..

   The Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. does not keep these users in the management database.

   1. In SmartConsole, click Manage & Settings > Blades.

   2. In the Mobile Access section, click Configure in SmartDashboard.

      Legacy SmartDashboard opens.

   3. In the bottom left Network Objects pane, and click Users.

      

   4. Right-click on an empty space and select the applicable option:

      • If you support only one external authentication scheme, click New > External User Profile > Match all users.

      • If you support more than one external authentication scheme, click New > External User Profile > Match by domain.

   5. Configure the External User Profile properties:

      1. On the General Properties page:

         • If selected Match all users, then configure:

           • In the External User Profile name field, leave the default name generic*.

           • In the Expiration Date field, set the applicable date.

         • If selected Match by domain, then configure:

           • In the External User Profile name field, enter the applicable name. This name is used to authenticate users by the Authentication Manager.

           • In the Expiration Date field, set the applicable date.

           • In the Domain Name matching definitions section, configure the applicable settings.

      2. On the Authentication page:

         From the Authentication Scheme drop-down list, select SecurID.

      3. Click OK.

   6. From the top toolbar, click Update (or press the CTRL S keys).

   7. Close the Legacy SmartDashboard.

4. Complete the SecurID authentication configuration

   1. Make sure that connections between the Security Gateway and the Authentication Manager are not NATed in the Address Translation Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..

      On a VSX Virtual System, follow the instructions in sk107281.

   2. In SmartConsole, install the Access Control policy.

   When a Security Gateway has multiple interfaces, the SecurID agent on the Security Gateway sometimes uses the wrong interface IP to decrypt the reply from the Authentication Manager, and authentication fails.

   To overcome this problem, place a new text file, named sdopts.rec in the same directory as sdconf.rec.

   The file sdopts.rec should contain this line:

   CLIENT_IP=<IP Address>

   Where <IP Address> is the primary IP address of the Security Gateway, as defined on the Authentication Manager. This is the IP address of the interface, to which the server is routed.

   Example:

   CLIENT_IP=192.168.20.30

   Note - On a VSX Gateway and VSX Cluster Members, you must create the same sdopts.rec file in the context VSID 0 and in the context of each applicable Virtual System.