Check Point on Nokia appliances not able to authenticate users with RSA SecurID

3 years ago

Originally Published: 2004-08-31

Article Number

000058217

Applies To

Check Point Firewall
Nokia
IPSO
RSA ACE/Server

Issue

Check Point on Nokia appliances not able to authenticate users with RSA SecurID
Users cannot successfully perform a SecurID authentication
In /var/log/messages, the following message is recorded: [LOG_ERR] ACEAGENT: The message entry does not exist for Message ID: 1008

Cause

It is not possible to determine which IP address the appliance is using to encrypt communication with the SecurID server

Resolution

For each node in the cluster determine the main IP address. Every node should have a unique "main" IP address. (Use for example the IP address used as management IP bye the Check Point software). For every node in the cluster, perform the following steps:

1. Create the sdopts.rec file in the /var/ace directory

2. Using VI, edit the sdopts.rec file and insert the line:

CLIENT_IP=10.10.111.10 {main_ip_address ## as determined in step 1}

3. On the ACE/Server, create a new node. The main IP address is the "unique" IP address you determined in step 1.

4. Define as secondary IPs the IP addresses used as source IP address in the SecurID packet send to the SecurID server (NOTE: You can determine the address by sniffing an ACE request on the ACE/Server).

5. Stop and start FW-1 and try to authenticate.

For more information about using SDOPTS.REC, see the solution regarding How to set an IP address override for an RSA ACE/Agent and RSA Authentication Agent

Don't see what you're looking for?

Related Articles

Trending Articles