Did anubody come across this issue: enabling TLS 1.2 on Authentication Manager 8.4 breaks SecurID authentication from Checkpoint VPN Clients?
Did anubody come across this issue: enabling TLS 1.2 on Authentication Manager 8.4 breaks SecurID authentication from Checkpoint VPN Clients?
using native securid
nothing in the RSA Auth Man real-time monitor
nothing in tcpdump...
In R80.10 do I need to create the /var/ace and populate it with sdconf.rec???
I had to do that step in the past versions of checkpoint but it is not required in R80.10 document?
Also, I don't see the securid (node secret) file in /var/ace....is that correct?
With a checkpoint you typically upload the sdconf.rec file, then restart the firewall services, I believe with cpstop and cpstart. The node secret, a file called securid with no extension will be created after the first successful authentication. sdstatus.12 is a cache file of the primary and replicas in the realm.
You can generate and download an sdconf.rec in the Security console
Do you know if the CheckPoint VPN uses the NativeSecurID UDP protocol on port 5500 with the sdconf.rec file, or does it use RADIUS?
UDP 5500 would not be affected by strict TLSv1.2 which only applies to TCP. Also RADIUS authentication uses either UDP port 1812 or 1645, so again that should not affect authentication.
Do you see anything in the Security Console Real Time Authentication Monitor?
Can you run a TCPdump and see any traffic coming from CheckPoint to AM, either RADIUS or Native SecurID?