Configuring Check Point Administrators to use RSA SecurID for Authentication.

Scope

This technote has been written following a discussion with one of our customers who was trying to establish RSA SecurID Authentication for their Check Point Administrators. Since the release of Check Point NG, Check Point has allowed the creation of administrators who are authenticated against external sources, RSA Authentication Manager being one of them.

Solution

RSA Authentication Manager (Ace/Server) has historically been one of the simpler third party authentication schemes to implement in a Check Point installation.  Check Points implementations for Nokia, Solaris and SecurePlatform have all always had the RSA Authentication Agent software embedded within the code for the Firewall modules, all that was required was to copy the sdconf.rec to be copied to a /var/ace directory on the firewall module.  Implementation on a Check Point / Windows platform simply required the installation of the RSA Authentication Agent for Windows for the appropriate code to be made available the the Check Point Firewall.

Similarly now that it is possible to use RSA Authentication Manager to authenticate administrators, all that is required on the Unix platforms is for the sdconf.rec file to be copied to a /var/ace directory on the Smart Centre platform and for the RSA Authentication Agent for Windows to be installed on a Windows Platform.

Please note however that under a Check Point NG Smart Centre it also appeared to be necessary to copy the file sdconf.rec to the $FWDIR/conf directory in order that the Check Point software was fully able to communicate with the RSA Authentication Manager.

To date we have only been able to test this against a Check Point NGX SecurePlatform Smart Centre, but it appears you no longer need to copy the sdconf.rec to the $FWDIR/conf directory.

Note you are still required to configure an Agent Host object within the RSA Authentication Manager and assign allowed users just as you would with any other agent