Troubleshooting RSA Securid authentication
Troubleshooting Checkpoint firewall issues involving RSA securid authentication Method:
If there is any problem in the authentication process then you might have to add a rule on the firewall:
something like this:
destination: Firewall object
service: FW1_Clientauth ( this consists of FW1_Clntauth_http and FW1_clntauth_telnet)
If this is for example a client authentication rule, then the rule should be like this:
action: client Auth
If you are using securid for authentication, then select, ignore user database.
After the rules are configured, try to telnet to the firewall on port 259 for telnet or 900 for http, it
should authenticate you. If it is returning with errors as password incorrect or if the firewall is not
tranferring the request to the securid server, then this asks for further troubleshooting.
Check the Ace server parameters on the firewall:
Firewall A# cd /var/ace
Firewall A# ls -la
drwxrwxr-x 2 root wheel 512 Jan 27 2004 .
drwxr-xr-x 18 root wheel 512 Jan 29 14:44 ..
-rw-r--r-- 1 root wheel 1024 Jan 27 2004 sdconf.rec
-rw-rw-r-- 1 root wheel 21 Jan 27 2004 sdopts.rec
-rw-rw-r-- 1 root wheel 2418 Dec 3 21:36 sdstatus.12
-r-------- 1 root wheel 512 Jan 27 2004 securid
MOve the entire folder to a backup folder as shown below:
Firewall A# mv sd* backupace
Get the sdconf.rec file from the ace server and import this file into this folder. Remove the click sign
from the Edit Agent Host -----> Node Secret Created. This should allow the firewall and the ACE server to
exchange and create certificates.
After the file is imported, restart the firewall services or best reboot the firewall if possible (this
might be needed in FP2 versions).
Firewall A# cpstop; cpstart
Most common problem of not working: The firewall IP address entered in the Agent Host could be incorrect.
Please make sure that the IP address is correct.
A way of testing whether the username/pass is working to telnet localhost 259, put in username password and check the ace server activity log.
Ctrl+ ] , then a quit should end the telnet session.