[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Getting SecurID working with FW-1 FP3
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I thought this might be helpful to anyone that is about to delve into SecurID. I had not worked with it before, and had no assistance from RSA or anyone else who had ever either installed or worked with it. Feel free to shoot me your (constructive) comments at my e-mail address as I will frequently go months without culling through these lists anymore. Configuring SecurID and FireWall-1 NG FP3 Configuration: Windows NT 4.0 Server running RSA ACE Server version 5.0.1 Nokia IPSO 3.6FCS5 on Nokia IP530 running Firewall-1 FP3 SP1 *Note: The step-by-step portion of this document is based on David Welch's (PhoneBoy) "SecurID and FP3" document found at http://www.phoneboy.com, but details were added to make it more helpful for the uninitiated. Background SecurID's documentation was not very much help with the implementation. I scanned/read/perused/rifled several different versions numerous times, and none of it resulted in a single successful authentication. As usual with FireWall-1 issues, it took combining information from several different resources to get it going. This will hopefully save someone the pain I suffered at the hands of RSA's technical documentation staff. Helpful Facts Post installation of ACE, you will need to run the Configuration Management tool ("$ACEDIR/prog/sdadmin setup" on a UNIX server and then $ACEDIR/prog/sdadmin thereafter for administering SecurID locally). This is where you can enable RADIUS, and specify ports, etc. The documentation seemed to hint that you want to make the OS services file comply with what was in the configuration tool, instead of the other way around. On Windows, all the services will be added for you (except RADIUS, which you will have to change the port from 1812/udp to 1645/udp on Windows 2000 and just add it on Windows NT in the file: %SYSTEM%/system32/drivers/etc/services On UNIX however, you are on your own. It will pop up a list of entries you need to add to your /etc/services file (hopefully you have this session in either an X-term or you are using something like SecureCRT so you can copy this to the clipboard, otherwise, once you "OK" this window, you will not see it again. All the required ports are in the installation manuals. Launch the Database Administration Tool - Host Mode ($ACEDIR/prog/sdadmin) . This is the "local version" of this tool, and should only be found on actual ACE server installs. In the manual, there is a claim that you can install the management client only as a menu option after setup starts, but I have yet to actually see this option for any of the platforms I have attempted (Windows NT 4.0 Server, Windows 2000 Server, and, dare I say, Windows XP). There were instances where this tool (Host Mode specifically) issued odd error messages and then crashed after using it to configure the users and server parameters initially, but the Remote Mode tool always worked (provided you did NOT forget your password/PIN for the Users with admin privileges). The Host Mode tool seemed to work on and off inexplicably. Most of the defaults work fine. The main tasks out of the gate are: 1. Verify "System Parameters" are appropriate (i.e. Allow Remote Administration) 2. Create groups 3. Create a site 4. Import Tokens 5. Add users (give administrative privileges to administrators) 6. Add agent hosts Realm This is for when you have multiple SecurID Realms. This could happen if you had multiple implementations of SecurID across a large enterprise. This is also the External Authentication in the System Menu, so if you enabled that and all you have is one ACE server, go back and disable it. It is unlikely that you will need this document if you need to add other Realms, since someone has already gotten it working somewhere make them do it. Profiles This is for authenticating to SecurID through RADIUS. If you are using some bizarre custom attribute (Frame-Filter-ID for instance if you have been trying to pass group information from FireWall-1 NG to a Livingston RADIUS server), this is where you would map it. RADIUS This is key to getting this to work: the SecurID server is the Agent host when you are using the ACE RADIUS Server. If you watch the log viewer (Report => Log Monitor => Activity Monitor), you will see the authentication requests are coming FROM the ACE Server TO the ACE Server. This means you must create it as an Agent host, AND use the "Assign/Change Encryption Key" and set the shared secret (this should have been defined in the RADIUS server object in the Smart Console/Policy Editor). DON'T forget to generate the sdconf.rec and copy it to %SYSTEM/system32 ($ACEDIR/data for a UNIX machine). During the installation you can choose to import all your RADIUS files if you have them handy. These tools can also be used after the fact, and they are all documented in the manuals. Step-by-step setup: 1. On the ACE/Server, define your firewall as a Communications Server within the "Add Client" menu of the administrative tool. Critical Note: On ACE/Server, be sure that the client hostname and IP address of the firewall agree with firewall's own definitions (**put the SecurID server in the hosts file on the firewall, and visa versa). This means that the node name (as defined by the command "hostname") and the IP to which that name resolves match what is configured on the ACE/Server. 2. On the ACE/Server, list the other interfaces of the firewall under Secondary Nodes in the client configuration field. These must be listed in order for the ACE/Server to accept authentication requests from the firewall when they come from interfaces other than the primary used for the firewall host name. (***For IPSO*** when defining your agent hosts (the firewall enforcement modules) on the ACE/Server, go to "Assign Acting Servers" within the "Add/Modify Agent Host" dialog boxes and select the primary and secondary (if you have a secondary) servers (you can also do this from the Agent Host pull-down menu using Server Assignment). This MAY NOT be required for other platforms like Windows 2000 - there is some "legacy client" issue at work here. Many firewall administrators actually suggest installing the Ace Agent software for their respective platforms. If there is an issue, for whatever reason with the IP for the primary, you can user the Custom Option and manually enter the hostname and IP; this could happen where the ACE Servers IP had to be changed and is still showing up in this field as the old IP. If you have run the Configuration Tool and set it to the new IP, this is not a problem). Generate an sdconf.rec file from this screen. If you just selected a server versus custom, when you hit OK, it will write the sdconf.rec to the "$ACE_DIR/data/config_files/servername.ip_address/sdconf.rec", otherwise it will prompt for where store it. The reason for this is when you create the sdconf.rec with custom hostname and IP, it does not write any changes to the database. 3. From FW-1 Management GUI, define a user group called SecurIDUsers. (From the "Manage" menu, select Users, New, Group.) 4. From FW-1 Management GUI, define a new user (using the default template) named generic*. If NG FP3 and above, create a User Profile. Add this user to the group SecurIDUsers. Under properties for this user, define SecurID as the authentication method. [Note that only one generic* user can be configured on a FW-1 at any given time.] 5. Add a FW-1 security rule with a source of SecurIDUsers@any, whatever destination and service you want to authenticate, and an action of UserAuth. Save, verify and install the security policy. ALSO, allowing firewall authentication to the firewall (FWAUTH_http, FWAUTH_telnet; ports 900 and 259 respectively), you can test if the authentication works. If you just assigned a token to the username, it should prompt to setup a new PIN. 6. Check the Network Address Translation rules on the FW-1 GUI to be sure that communications between the firewall and the ACE/Server are not address translated (address translation will really complicate the node secret exchange between the two boxes). 7. On a Unix or IPSO platform, create the directory /var/ace. 8. Copy whichever sdconf.rec file you generated during the Agent Host setup above from the ACE/Server to /var/ace/sdconf.rec (on NT, this should be %SystemRoot%\system32\sdconf.rec). **Note of Interest - When the firewall attempts to pass authentication to SecurID, it will create another file in the /var/ace directory called "sdstatus.12". The only reference I found to this file was on phoneboy's site and it says this is the intitial node secret file (not sure about that). Later the file "securid" will appear. This is the actual node secret file sent by the SecurID console. 9. Bounce FireWall-1 (cpstop; cpstart) 10. Test authentication by initiating a connection to whatever destination and service you defined in your rule. Also, if you have defined a profile for a given user to authenticate via SecurID, you can just enable the FWAUTH group, which enables the http and telnet authentication (ports 900 and 259 respectively). When you connect to either of these ports, you will be prompted for authentication (you should see: SecurID User Check Point FireWall-1 Client Authentication Server running on securid-test User: cdooley PASSCODE: ********** User cdooley authenticated by SecurID No Client Authentication Rules Are Available Connection to host lost. RADIUS User Check Point FireWall-1 Client Authentication Server running on securid-test User: carric password: **** User carric authenticated by Radius authentication No Client Authentication Rules Are Available Connection to host lost. 11. On the ACE server, Reports/Log Monitor/Activity Monitor will show current activity. Basic troubleshooting It may take several tries at generating a good sdconf.rec. If you do this for a box that you have tried to authenticate from (i.e. enforcement point) it takes two steps to unhose it sometimes. First, delete the sdconf.rec, the sdstatus.12 and securid files. Then at the SecurID console, make sure you UNCHECK the Sent Node Secret checkbox. This will tell SecurID to send the node secret again. Good luck!! -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Made with pgp4pine 1.75-6 iQA/AwUBPmlO9VUqWOkDpMZ2EQIVxgCfTOzS4t3F+UnLLqK+qdtB17TP820An29K fY5Su1t5IO2fuaKCXI969PPL =spry -----END PGP SIGNATURE----- ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|