Troubleshooting RSA Securid authentication

Troubleshooting Checkpoint firewall issues involving RSA securid authentication Method:

If there is any problem in the authentication process then you might have to add a rule on the firewall:

something like this:

source:any
destination: Firewall object
service: FW1_Clientauth ( this consists of FW1_Clntauth_http and FW1_clntauth_telnet)
action: accept

If this is for example a client authentication rule, then the rule should be like this:

source:
Remoteusers@Any
destination:192.168.10.10
service:any
action: client Auth

If you are using securid for authentication, then select, ignore user database.

After the rules are configured, try to telnet to the firewall on port 259 for telnet or 900 for http, it

should authenticate you. If it is returning with errors as password incorrect or if the firewall is not

tranferring the request to the securid server, then this asks for further troubleshooting.

Check the Ace server parameters on the firewall:

Firewall A# cd /var/ace
Firewall A# ls -la
drwxrwxr-x 2 root wheel 512 Jan 27 2004 .
drwxr-xr-x 18 root wheel 512 Jan 29 14:44 ..
-rw-r--r-- 1 root wheel 1024 Jan 27 2004 sdconf.rec
-rw-rw-r-- 1 root wheel 21 Jan 27 2004 sdopts.rec
-rw-rw-r-- 1 root wheel 2418 Dec 3 21:36 sdstatus.12
-r-------- 1 root wheel 512 Jan 27 2004 securid

MOve the entire folder to a backup folder as shown below:

Firewall A# mv sd* backupace

Get the sdconf.rec file from the ace server and import this file into this folder. Remove the click sign

from the Edit Agent Host -----> Node Secret Created. This should allow the firewall and the ACE server to

exchange and create certificates.

After the file is imported, restart the firewall services or best reboot the firewall if possible (this

might be needed in FP2 versions).

Firewall A# cpstop; cpstart

Most common problem of not working: The firewall IP address entered in the Agent Host could be incorrect.

Please make sure that the IP address is correct.

A way of testing whether the username/pass is working to telnet localhost 259, put in username password and check the ace server activity log.

Ctrl+ ] , then a quit should end the telnet session.