When adding a Checkpoint Firewall as an agent host in RSA for "native" SecurID authentication, you may find that you cannot get authentication working and your RSA activity log just keeps saying "passcode incorrect" when you know you're getting it right. You will also notice that the "Node Secret created" checkbox for the agent host on the RSA server is still greyed out.
All communication between an RSA Agent and the server is performed over an encrypted channel that is based on a shared secret-key. This key is called the "node secret" and it is automatically generated. This generation only occurs after the first *successful* authentication to the RSA Server In the meantime, the first authentication between the RSA agent (the firewall, in this case) and the server are still encrypted - but by what method are they "authenticated"? The answer lies in the primary IP address of the agent host. You must define the agent host in RSA with its *primary* IP address. This means you need to find out what the agent thinks its primary IP address is! In the case of Firewall-1, the primary IP address is always what the firewall has listed as its IP address when you view/edit its object in SmartDashboard. Often times, this address is the firewall's external (Internet) interface. You then need to ensure that the agent host defined in RSA server also defines the firewall interface that will be the source address for all authentication requests from the firewall (these extra addresses are called "secondary nodes" in RSA terminology). If you don't do this, authentication will also fail because the source IP address attempting to connect to the RSA server will be unknown to RSA. Note that the names of agent hosts, and the names of their secondary nodes in RSA server are irrelevant. You could call your agent host and/or its secondary nodes "DieYuppieScum", and so long as your IP addresses are correct, your authentications will work. So, with the above information we can describe the node secret creation process: 1. The administrator creates Agent host in RSA server with the correct IP address details. 2. The administrator copies the sdconf.rec file from the RSA server to the /var/ace directory on the firewall (if UNIX) . 3. The first SecurID authentication attempt to the firewall is made. 4. The agent host and RSA server use the agent's primary IP address as an "authentication" key to perform session encryption of the authentication attempt. 5. Authentication (hopefully) succeeds. 6. The node secret is created by the RSA server and sent to the Agent host via the previously created encrypted session. 7. All future authentication attempts use the node secret to encrypt authentication requests. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
