Did anubody come across this issue: enabling TLS 1.2 on Authentication Manager 8.4 breaks SecurID authentication from Checkpoint VPN Clients?
Did anubody come across this issue: enabling TLS 1.2 on Authentication Manager 8.4 breaks SecurID authentication from Checkpoint VPN Clients?
using native securid
nothing in the RSA Auth Man real-time monitor
nothing in tcpdump...
In R80.10 do I need to create the /var/ace and populate it with sdconf.rec???
I had to do that step in the past versions of checkpoint but it is not required in R80.10 document?
Also, I don't see the securid (node secret) file in /var/ace....is that correct?
Does the R80 doc say how to find the SecurID primary and replica? If you do not upload sdconf.rec, they might allow you to configure the primary IP address like Cisco ASA does.
Checkpoint R80 uses radius for everything, and can do UDP (native securid) direct to Auth Manager.
udp agent is supported.....native securd
With a checkpoint you typically upload the sdconf.rec file, then restart the firewall services, I believe with cpstop and cpstart. The node secret, a file called securid with no extension will be created after the first successful authentication. sdstatus.12 is a cache file of the primary and replicas in the realm.
You can generate and download an sdconf.rec in the Security console
Agreed....but there is no step in the Check_Point_Secure_Gateway_R80_10_RSA_SecurID_Access.pdf doc to copy the file into /var/log?
It doesn't even mention creating /var/ace on the firewalls??
/var/ace directory...
On page 17 of the guide you simply import the sdconf.rec, the Checkpoint handles everything else.
That is not on the firewalls it is uploading to the object in smartdashboard....
Do you know if the CheckPoint VPN uses the NativeSecurID UDP protocol on port 5500 with the sdconf.rec file, or does it use RADIUS?
UDP 5500 would not be affected by strict TLSv1.2 which only applies to TCP. Also RADIUS authentication uses either UDP port 1812 or 1645, so again that should not affect authentication.
Do you see anything in the Security Console Real Time Authentication Monitor?
Can you run a TCPdump and see any traffic coming from CheckPoint to AM, either RADIUS or Native SecurID?