000021417 - Check Point on Nokia appliances not able to authenticate users with RSA SecurID

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000021417
Applies ToCheck Point Firewall
Nokia
IPSO
RSA ACE/Server
IssueCheck Point on Nokia appliances not able to authenticate users with RSA SecurID
Users cannot successfully perform a SecurID authentication
In /var/log/messages, the following message is recorded: [LOG_ERR] ACEAGENT: The message entry does not exist for Message ID: 1008
CauseIt is not possible to determine which IP address the appliance is using to encrypt communication with the SecurID server
ResolutionFor each node in the cluster determine the main IP address. Every node should have a unique "main" IP address. (Use for example the IP address used as management IP bye the Check Point software). For every node in the cluster, perform the following steps:

1. Create the sdopts.rec file in the /var/ace directory

2. Using VI, edit the sdopts.rec file and insert the line:

    CLIENT_IP=10.10.111.10 {main_ip_address ## as determined in step 1}

3. On the ACE/Server, create a new node. The main IP address is the "unique" IP address you determined in step 1.

4. Define as secondary IPs the IP addresses used as source IP address in the SecurID packet send to the SecurID server (NOTE: You can determine the address by sniffing an ACE request on the ACE/Server).

5. Stop and start FW-1 and try to authenticate.

For more information about using SDOPTS.REC, see the solution regarding How to set an IP address override for an RSA ACE/Agent and RSA Authentication Agent
Legacy Article IDa22844

Attachments

    Outcomes