Check Point Secure Gateway R80 10 RSA SecurID Access

<Partner Name>
<Partner Product>
RSA SECURID® ACCESS

Implementation Guide
Check Point Security Gateway Software

Blades R80.10
Daniel R. Pintal, RSA Partner Engineering

Last Modified: December 17, 2018
Check Point
Security Gateway Software Blades R80.10
Solution Summary
Check Point Security Gateway can be integrated with RSA SecurID Access to provide RSA SecurID
Authentication using either native SecurID Agent integration or RADIUS.
Check Point Security Gateway can be integrated with RSA Identity Router to provide policy-based Multi-
factor (including SecurID) Authentication using RADIUS.
RSA SecurID Access Features
Check Point Software Blades R80.10
On Premise Methods
RSA SecurID ✔
On Demand Authentication ✔
Risk-Based Authentication (AM) -
Cloud Authentication Service Methods (CAS)
Authenticate App ✔
FIDO Token -
SSO
SAML SSO -
HFED SSO -
Identity Assurance
Collect Device Assurance and User Behavior -
-- 2 -
Check Point
Supported Authentication Methods by Integration Point

This section indicates which authentication methods are supported by integration point. The next section
(Configuration Summary) contains links to the appropriate configuration sections for each integration
point.
Check Point Security Gateway integration with RSA Cloud Authentication Service
IDR Cloud
Authentication Methods REST HFED RADIUS
SAML SAML
RSA SecurID - - - - ✔
LDAP Password - - - - ✔
Authenticate Approve - - - - ✔
Authenticate Tokencode - - - - ✔
Device Biometrics - - - - ✔
SMS Tokencode - - - - ✔
Voice Tokencode - - - - ✔
FIDO Token - - -
Check Point Security Gateway integration with RSA Authentication Manager

UDP TCP
Authentication Methods REST RADIUS
Agent Agent
RSA SecurID - ✔ ✔ -
AM RBA - -
✔ Supported
- Not supported
n/t Not yet tested or documented, but may be possible
-- 3 -
Check Point
Configuration Summary
All of the supported use cases of RSA SecurID Access with Check Point Security Gateway require both
server-side and client-side configuration changes. This section of the guide includes links to the
appropriate sections for configuring both sides for each use case.
RSA Cloud Authentication Service – Check Point Security Gateway can be integrated with RSA Cloud
Authentication Service in the following way(s):
RADIUS Client
Cloud Authentication Service RADIUS Configuration
Check Point Security Gateway RADIUS Configuration
RSA Authentication Manager – Check Point Security Gateway can be integrated with RSA
Authentication Manager in the following way(s):
RADIUS Client
Authentication Manager RADIUS Configuration
Check Point Security Gateway RADIUS Configuration
UDP Agent
Authentication Manager UDP Agent Configuration
Check Point Security Gateway UDP Agent Configuration
-- 4 -
Check Point
RSA SecurID Access Server Side Configuration

RSA Cloud Authentication Service Configuration
RADIUS
To configure RADIUS for Cloud Authentication Service for use with a RADIUS client, you must first
configure a RADIUS client in the RSA SecurID Access Console.
Logon to the RSA SecurID Access console and browse to Authentication Clients > RADIUS > Add
RADIUS Client and enter the Name, IP Address and Shared Secret. Click Publish to push your
configuration change to the RADIUS server.
RSA Cloud Authentication RADIUS server listens on port UDP 1812.
RSA Authentication Manager Configuration

RADIUS
To configure your RSA Authentication Manager for use with a RADIUS Agent, you must configure a
RADIUS client and a corresponding agent host record in the Authentication Manager Security Console.
The relationship of agent host record to RADIUS client in the Authentication Manager can be 1 to 1, 1 to
many or 1 to all (global).
RSA Authentication Manager RADIUS server listens on ports UDP 1645 and UDP 1812.
UDP Agent
To configure your RSA Authentication Manager for use with a UDP-based agent, you must create an
agent host record in the Security console of your Authentication Manager and download its configuration
file (sdconf.rec).
 Hostname: Configure the agent host record name to match the hostname of the agent.
 IP Address: Configure the agent host record to match the IP address of the agent.
Important: Authentication Manager must be able to resolve the IP

address from the hostname.
-- 5 -
Check Point
Partner Product Configuration

Before You Begin
This section provides instructions for configuring the Check Point Security Gateway with RSA SecurID
Access. This document is not intended to suggest optimum installations or configurations.
It is assumed that the reader has both working knowledge of all products involved, and the ability to
perform the tasks outlined in this section. Administrators should have access to the product
documentation for all products in order to install the required components.
All Check Point Security Gateway components must be installed and working prior to the integration.
Perform the necessary tests to confirm that this is true before proceeding.
Overview
Configure an Authentication Server
SecurID Access RADIUS On-Prem & CAS VPN and Mobile Client Configuration
Authentication Agent (UDP) Configuration
Configure Check Point for RSA SecurID Authentication
Enable RSA Authentication for users
Configure a User
Configure for External Users
Check Point IPSec VPN Configuration
Configure a VPN Community Rule
-- 6 -
Check Point
Configure an Authentication Server

Check Point RADIUS Client Configuration
Complete the steps in this section to integrate with RSA SecurID Access using RADIUS authentication
protocol.
1. Launch the Check Point SmartConsole application with an administrator account, on the right side of
the Check Point SmartConsole select Object to reveal the toolbar. Right click Network Objects and
click Host....
-- 7 -
Check Point
2. In the Host window, enter the Object Name then specify the IPv4 address or DNS Name, click
OK.
3. Repeat step 2 for each SecurID RADIUS or SecurID RADIUS Cloud Access server, select OK.
4. Right click Servers, select More > RADIUS.
-- 8 -
Check Point
5. Enter the Object Name for the SecurID RADIUS server and from the drop-down list select the
RADIUS host configured in step 2. (repeat as needed for each SecurID RADIUS Host).
RADIUS Service, RADIUS Ver 1.0 port 1645 (Supports SecurID RADIUS On-Premise only)
NEW-RADIUS utilizes port 1812 (Supports SecurID RADIUS On-Premise or SecurID RADIUS CAS)
-- 9 -
Check Point
6. Right click Servers then select More > RADIUS Group.
7. Use one of the following; SecurID Access RADIUS or SecurID RADIUS Cloud Access Service.
8. (SecurID Access RADIUS); If Check Point Mobile/VPN deployment is being configured with RSA
SecurID Access RADIUS On-Premise provide a RADIUS Group Name for the object and add any
number of RADIUS servers to the list.
-- 10 -
Check Point
9. (SecurID RADIUS Cloud Access Service); If Check Point Mobile/VPN deployment is being
configured with RSA SecurID Cloud Access Service RADIUS provide a RADIUS Group Name for the
object and add the RSA SecurID Cloud Access Service RADIUS Server.
10. Right click the Check Point Server and select Edit.
-- 11 -
Check Point
11. Select the VPN Clients > Authentication, check Allow older clients to connect to this
gateway and Settings.
12. Change the Display Name to RADIUS then from the Authentication Method drop down list select
RADIUS and from the Server drop down list select the SecurID RADIUS Group.
-- 12 -
Check Point
13. Select to modify the Global Properties.
-- 13 -
Check Point
14. Select Advanced >Configure from the Global Properties screen.
15. Modify the radius ignore setting changing the default value of “0” to “76”, select OK.
-- 14 -
Check Point
16. Select Install Policy from the SmartConsole.

17. Select Publish & Install to install the policy.
18. Select Install.
-- 15 -
Check Point
RSA SecurID Access Native (UDP) Configuration

Complete the steps in this section to integrate with RSA SecurID Access using UDP-based agent protocol.
the Check Point SmartConsole select Object to reveal the toolbar. Right click Servers, select More
> SecurID....
-- 16 -
Check Point
2. Enter the Name for the SecurID server, select Browse to import the sdconf.rec Configuration file.
3. Locate the sdconf.rec downloaded from the RSA SecurID Access server, select Open.
-- 17 -
Check Point
4. Right click the Check Point Server and select Edit.
5. Select the VPN Clients > Authentication, check Allow older clients to connect to this
gateway and Settings.
-- 18 -
Check Point
6. Change the Display Name to SecurID, from the Authentication Method drop down list select
SecurID and from the Server drop down list select the Server: SecurID_Native, Select OK.
-- 19 -
Check Point
8. Select Publish & Install to install the policy.
9. Select Install.
-- 20 -
Check Point
Enable RSA SecurID Access User Authentication

Configure a User
In this section a user will be created that will authenticate to the RSA Authentication Manager Servers.
This user can be configured to authenticate via either SecurID or RADIUS.
the Check Point Smart Console select Object to reveal the toolbar. Right Click Users and click
User...
2. From the New User Window, choose the Default template, select OK.
-- 21 -
Check Point
3. Enter the name of the user in the Object Name field and Email address in the appropriate field,
select Authentication.
4. From the drop down box choose either SecurID or RADIUS as the user’s Authentication method,
click OK.
-- 22 -
Check Point
Login Screenshots
Login screen:
User-defined New PIN:
-- 23 -
Check Point
System-generated New PIN:
Next Tokencode:
-- 24 -
Check Point
SecurID Cloud Access Service (LDAP Username & Password)
SecurID Cloud Access Service (LDAP Username & Password)
-- 25 -
Check Point
Certification Checklist for RSA SecurID Access

Certification Environment Details:
RSA Authentication Manager 8.x, Virtual Appliance
RSA Authentication Agent 7.3.1, Windows 10 64bit
RSA Authentication Software 5.0 Windows 10 64 bit
RSA Remote Authentication Client 3.6, Windows 10 64 bit
Check Point Security Gateway Software Blades 80.10, GAIA OS
Check Point SmartConsole 80.10
RSA Cloud Authentication Service Date Tested: December 17 th, 2018

REST RADIUS
Authentication Method
Client Client
RSA SecurID - ✔
LDAP Password - ✔
Authenticate Approve - ✔
Authenticate Device Biometrics - -
Authenticate Tokencode - ✔
SMS Tokencode -
Voice Tokencode -
FIDO Token -
RSA Authentication Manager Date Tested: October 1st, 2018

REST UDP TCP RADIUS
Authentication Method
Client Agent Agent Client
RSA SecurID - ✔ - ✔
RSA SecurID Software Token Automation - ✔ - ✔
On Demand Authentication - ✔ - ✔
Risk-Based Authentication ✔ ✔
✔ = Passed, X = Failed, - = N/A
-- 26 -
Check Point
Known Issues
Important: This release does not enforce authentication after a new

PIN is set via Native SecurID. This issue does not apply to RADIUS.
Therefore, the On Demand Authentication via Native SecurID when in
New PIN mode will authenticate a user without the user ever entering
a tokencode. This is effectively a single factor authentication. This is
not an issue once the user sets the PIN.
-- 27 -
Check Point
Appendix
RSA SecurID Access Integration Details
Partner Integration Details
RSA Authentication Agent API (UDP) N/A
RSA Authentication Agent API (TCP) N/A
RSA SecurID Authentication API
N/A
(REST)
RSA SecurID User Specification All Users
Display RSA Server Info No
Perform Test Authentication No
Agent Tracing No
RSA Authentication Agent Files (C and Java Agents only)

RSA SecurID Authentication Files
UDP Agent Files Location
sdconf.rec GAIA /var/ace | Windows %SystemRoot%\system32\
sdopts.rec Not tested
Node secret GAIA /var/ace | Windows %SystemRoot%\system32\
sdstatus.12 / jastatus.12 GAIA /var/ace | Windows %SystemRoot%\system32\
Node Secret Removal

Windows Platform
1. To clear the node secret from a Window host select Run > regedit.
2. Navigate the left hand tool bar to HKEY_LOCAL_MACHINE/Software/ACECLIENT.
3. Select Node Secret and delete.
4. Reboot the PC.
Gaia Platform
1. Login to the GAIA CLI console and enable expert mode.
2. Change directory to /var/ace.
3. Delete the file securid, rm securid.
4. Stop the Check Point services, cpstop.
5. Start the Check Point services, cpstart.
-- 28 -

Check Point Secure Gateway R80 10 RSA SecurID Access

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Check Point Secure Gateway R80 10 RSA SecurID Access

Загружено:

Авторское право:

Доступные форматы

<Partner Name>

RSA SECURID® ACCESS

Check Point Security Gateway Software

Daniel R. Pintal, RSA Partner Engineering

Collect Device Assurance and User Behavior -

Supported Authentication Methods by Integration Point

Check Point Security Gateway integration with RSA Authentication Manager

RSA SecurID Access Server Side Configuration

RSA Authentication Manager Configuration

Important: Authentication Manager must be able to resolve the IP

Partner Product Configuration

Configure an Authentication Server

4. Right click Servers, select More > RADIUS.

6. Right click Servers then select More > RADIUS Group.

13. Select to modify the Global Properties.

14. Select Advanced >Configure from the Global Properties screen.

16. Select Install Policy from the SmartConsole.

18. Select Install.

RSA SecurID Access Native (UDP) Configuration

4. Right click the Check Point Server and select Edit.

7. Select Install Policy from the SmartConsole.

8. Select Publish & Install to install the policy.

Enable RSA SecurID Access User Authentication

5. Select Install Policy from the SmartConsole.

User-defined New PIN:

System-generated New PIN:

SecurID Cloud Access Service (LDAP Username & Password)

SecurID Cloud Access Service (LDAP Username & Password)

Certification Checklist for RSA SecurID Access

RSA Cloud Authentication Service Date Tested: December 17 th, 2018

RSA Authentication Manager Date Tested: October 1st, 2018

✔ = Passed, X = Failed, - = N/A

Important: This release does not enforce authentication after a new

RSA Authentication Agent Files (C and Java Agents only)

Node Secret Removal

Вам также может понравиться