Nokia

IP390

RSA SecurID Ready Implementation Guide

Last Modified: September 4, 2009

Partner Information
Product Information
Partner Name Nokia
Web Site www.nokia.com
Product Name Nokia IP Platforms running Check Point Firewall-1 / VPN-1
Version & Platform IP390
Product Description Nokia Firewall/VPN appliances are security specific devices delivered onsite with
all the necessary security software, hardware drivers and IP routing pre-installed
for out of the box deployment. The Nokia Firewall/VPN appliance allows
enterprises to define and enforce a single, centrally managed comprehensive
security policy while providing full, transparent connectivity. They are secure,
scalable appliances with sophisticated network security management capabilities
that are easy to install and deploy. Nokia platforms integrate leading Firewall and
VPN software from Check Point Software Technologies into a high-performance,
high-availability, easy-to-deploy security appliance. Remote configuration and
management makes implementation simple, regardless of network size.
Product Category Firewall/VPN
Solution Summary
The Nokia IP390 is the complete 1RU hardware and software solution for the Checkpoint VPN-1
R65 software. The platform is a comprehensive VPN and Firewall solution providing out-of-box
security for medium and large scale business and remote campuses and large branch offices.
Partner Integration Overview
Authentication Methods Supported Native RSA SecurID Authentication, RADIUS
RSA SecurID Library Version Used Library Version # 5.03
RSA Authentication Manager Replica Support * Full Replica Support
Secondary RADIUS Server Support Yes (up to 100)
RSA Authentication Agent Host Type for 6.1 Net OS
RSA Authentication Agent Host Type for 7.1 Standard Agent
RSA SecurID User Specification All Users
RSA SecurID Protection of Administrative Users No
RSA Software Token and RSA SecurID 800 Automation Yes
* = Mandatory Function when using Native SecurID Protocols

2
Product Requirements
Partner Product Requirements: Nokia IP390
Additional Software Requirements
Application Additional Patches
RSA Software Token 3.0.7 & 4.0
RSA Authentication Client 2.01

Agent Host Configuration

Important: “Agent Host” and “Authentication Agent” are synonymous. “Agent

Host” is a term used with the RSA Authentication Manager 6.x servers and below.
RSA Authentication Manager 7.1 uses the term “Authentication Agent”.

Important: All “Authentication Agent” types for 7.1 should be set to “Standard
Agent”.

To facilitate communication between the Nokia IP390 and the RSA Authentication Manager /
RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication
Manager database. The Agent Host record identifies the Nokia IP390 within its database and
contains information about communication and encryption.
To create the Agent Host record, you will need the following information.
• Hostname
• IP Addresses for all network interfaces

When adding the Agent Host Record, you should configure the Nokia IP390 as Net OS for AM
6.1 and Standard Agent for AM 7.1. This setting is used by the RSA Authentication Manager to
determine how communication with the Nokia IP390 will occur.
To create the RADIUS client record, you will need the following information.
• Hostname
• IP Addresses for all network interfaces
• RADIUS Secret

Note: Hostnames within the RSA Authentication Manager / RSA SecurID

Appliance must resolve to valid IP addresses on the local network.

Please refer to the appropriate RSA Security documentation for additional information about
Creating, Modifying and Managing Agent Host, and RADIUS client records.

3
RSA SecurID files
RSA SecurID Authentication Files
Files Location
sdconf.rec /var/ace
Node Secret /var/ace
sdstatus.12 /var/ace
sdopts.rec Not implemented

Partner Product Configuration

Before You Begin
This section provides instructions for integrating the Nokia IP390 with RSA SecurID
Authentication. This document is not intended to suggest optimum installations or
configurations.
It is assumed that the reader has both working knowledge of all products involved, and the
ability to perform the tasks outlined in this section. Administrators should have access to the
product documentation for all products in order to install the required components.
All vendor products/components must be installed and working prior to the integration. Perform
the necessary tests to confirm that this is true before proceeding.

Documenting the Solution

To complete the steps in this section an SSH or local terminal session to the IP390 is required.
1. Using Expert Mode, change to the /var directory. Verify /var/ace/ directory exists, if it does not create it by typing mkdir
ace.
2. Using the ftp utility, copy the sdconf.rec file from your Authentication Manager Server to the Connectra Server saving this
file in the /var/ace/ directory.

Note: For users without access to FTP, a floppy disk may be used to transfer the
sdconf.rec file to the Connectra Server. See Appendix.

4
3. Restart the IP390 to load the Authentication Manager Configuration data into the software.
4. Log back into the IP390 and switch to Expert Mode to verify that the sdconf.rec file exists.
5. Since the system has multiple network interfaces it is recommended that an sdopts.rec file be created in the /var/ace folder.
Add the line CLIENT_IP=<IP Address> where IP Address represents the address of the primary interface of the IP390.
6. Access the Check Point SmartDashboard.
7. Verify that the VPN product has been installed by Editing the Check Point Gateway.

8. Check the VPN option if the feature is supported with your Check Point license.
9. Return to the SmartDashboard
10. Select Manager>Users and Administrators.
11. Create a User by Template called Generic* if one doesn’t already exist.

Note: As part of the default configuration the default user configuration

Generic* was created to allow pass through authentication to external
authenticators.

Native SecurID Authentication

12. Verify that the Generic* account’s Authentication scheme is set to SecurID.

Note: To configure the system for RADIUS Authentication please reference the
appendix of this document.

13. Create a User Group called VPN and assign the Generic* account to the group.
14. Select the VPN tab and Edit the Remote Access Community Properties setting the Participating Gateway to the Nokia IP390
device and assigning the Participant User/Remote Access User Group to VPN.
15. Install the Policy changes for the Nokia IP390.

5
16. Create a new firewall rule to allow authentication.

17. From your client open the Check Point VPN-1 SecuRemote Connection client. Select the SecurID option from the Site
Wizard.

6
18. Select the appropriate token type.

19. Set the User name, PIN and enter the current Tokencode.

7
20. Select Next to continue the configuration.

21. Complete the configuration by selecting Next to Validate the site.

8
22. If no PIN is assigned to the user account you will be prompted to enter and re-enter a new PIN.

9
Certification Checklist For RSA Authentication Manager v6.x
Date Tested: June 17, 2009
Certification Environment
Product Name Version Information Operating System
RSA Authentication Manager 6.1 Windows 2003 SP2
RSA Authentication Agent 5.03 Windows XP
RSA Software Token 3.07 & 4.0 Windows XP
Nokia IP390 1515 12.05.2008-053151
Check Point VPN-1 Power/UTM NGX
R65 Build 620000436
Mandatory Functionality
RSA Native Protocol RADIUS Protocol
New PIN Mode
Force Authentication After New PIN Force Authentication After New PIN
System Generated PIN System Generated PIN
User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric)
User Defined (5-7 Numeric) User Defined (5-7 Numeric)
User Selectable User Selectable
Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN
Deny Alphanumeric PIN Deny Alphanumeric PIN
Passcode
16 Digit Passcode 16 Digit Passcode
4 Digit Password 4 Digit Password
Next Tokencode Mode
Next Tokencode Mode Next Tokencode Mode
Load Balancing / Reliability Testing
Failover (3-10 Replicas) Failover
Name Locking Enabled Name Locking Enabled
No RSA Authentication Manager No RSA Authentication Manager
Additional Functionality
RSA Software Token Automation
System Generated PIN System Generated PIN
User Defined (8 Digit Numeric) User Defined (8 Digit Numeric)
User Selectable User Selectable
Next Tokencode Mode Next Tokencode Mode
RSA SecurID 800 Token Automation
System Generated PIN System Generated PIN
User Defined (8 Digit Numeric) User Defined (8 Digit Numeric)
User Selectable User Selectable
Next Tokencode Mode Next Tokencode Mode

DRP = Pass = Fail N/A = Non-Available Function

10
Certification Checklist For RSA Authentication Manager 7.x
Date Tested: August 13, 2009
Certification Environment
Product Name Version Information Operating System
RSA Authentication Manager 7.1 Windows 2003 SP2
RSA Authentication Agent 5.03 Windows XP
RSA Software Token 3.07 & 4.0 Windows XP
Nokia IP390 1515 12.05.2008-053151
Check Point VPN-1 Power/UTM NGX
R65 Build 620000436
Mandatory Functionality
RSA Native Protocol RADIUS Protocol
New PIN Mode
Force Authentication After New PIN Force Authentication After New PIN
System Generated PIN System Generated PIN
User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric)
User Defined (5-7 Numeric) User Defined (5-7 Numeric)
Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN
Deny Alphanumeric PIN Deny Alphanumeric PIN
Deny Numeric PIN Deny Numeric PIN
PIN Reuse PIN Reuse
Passcode
16 Digit Passcode 16 Digit Passcode
4 Digit Fixed Passcode 4 Digit Fixed Passcode
Next Tokencode Mode
Next Tokencode Mode Next Tokencode Mode
Load Balancing / Reliability Testing
Failover (3-10 Replicas) Failover
No RSA Authentication Manager No RSA Authentication Manager
Additional Functionality
RSA Software Token Automation
System Generated PIN System Generated PIN
User Defined (8 Digit Numeric) User Defined (8 Digit Numeric)
Next Tokencode Mode Next Tokencode Mode
RSA SecurID 800 Token Automation
System Generated PIN System Generated PIN
User Defined (8 Digit Numeric) User Defined (8 Digit Numeric)
Next Tokencode Mode Next Tokencode Mode
DRP = Pass = Fail N/A = Non-Available Function

11
Appendix
RADIUS Configuration
To configure the Nokia for RADIUS integration follow the steps below;

Note: A RADIUS Client must be setup prior to the configuration of the RADIUS
connection within the Check Point SmartDashboard.

1. Using the Check Point SmartDashboard select Manage>Servers and OPSEC Applications.
2. Select New>RADIUS…
3. Enter the name of the RADIUS connection.
4. Enter the host or IP Address of the RADIUS Host.
5. Enter the shared secret that was created when the RADIUS Client was setup on the RSA Authentication Manager.
6. Exit the RADIUS Configuration window and close the Servers and OPSEC Applications window.
7. Select Manage>User and Administrators…
8. Edit the generic* user account.
9. Under the Authentication tab change the Authentication Scheme to RADIUS.
10. Change the RADIUS Server or Group of Servers setting to the RADIUS Connection created in step 3.
11. Exit the User Profile Properties window.
12. Select Policy>Global Properties.
13. Select the SmartDashboard Customization from the list of options.
14. Under the Advanced Configuration option select the Configure button.
15. Select Firewall-1>Authentication>RADIUS from the list under Advanced configuration.
16. Modify the radius_ignore setting changing the default value of “0” to “76”
17. Save the settings and select Policy>Install.. from the SmartDashboard.
18. Complete the configuration by selecting OK to install the policy.

12
RSA Software Token Automation
1. Install the 3.07 soft token.
2. Install the RSA Authentication Client.
3. Import the Token .sdtid soft token.
4. Restart the system to insure initialization of the Checkpoint SecurRemote Client.

5. Start the SecuRemote Client and select the Options Button> Change Authentication.

13
6. Set the Authentication Scheme using the drop down list to SecurID.
7. Select Use Soft Token and from the drop down list choose your soft token id.

RSA SecurID 800 Token Automation

1. Install the 4.0 Soft Token.
2. Install the RSA Authentication Client.
3. Install the CCID software provided by Microsoft to provide communication between the SID800 token and Windows.
4. Restart the system to insure initialization of the Checkpoint SecurRemote Client.

14
5. Start the SecuRemote Client and select the Options Button> Change Authentication.

6. Set the Authentication Scheme using the drop down list to SecurID.
7. Select Use Soft Token and from the drop down list choose your soft token id.

15