Checkpoint Connectra Integration
From Swivel Knowledgebase Wiki
Contents |
Overview
PINsafe can provide strong and two factor authentication to the Checkpoint Connectra. This document outlines the details required to carry this out.
Baseline
Pinsafe 3.x
Checkpoint Connectra appliance version NGX R66.
Checkpoint R75 Mobile Access login page
Prerequisites
Working Connectra VPN
PINsafe 3.x
Note that modifications to the Connectra login page will affect ALL users (but not the administration page).
Use of the TURing, Security String Index or SMS Confirmed message will require the use of a NAT.
PINsafe Configuration
Configuring the RADIUS server
Configure the RADIUS settings using the RADIUS configuration page in the PINsafe Administration console. In this example (see diagram below) the RADIUS Mode is set to ‘Enabled’ and the HOST IP (the PINsafe server) is set to 0.0.0.0. (leaving the field empty has the same result). This means that the server will answer all RADIUS requests received by the server regardless of the IP address that they were sent to.
Note: for appliances, the PINsafe VIP should not be used as the server IP address, see VIP on PINsafe Appliances
Setting up the RADIUS NAS
Set up the NAS using the Network Access Servers page in the PINsafe Administration console. Enter a name for the Checkpoint Connectra server. The IP address has been set to the IP of the VPN appliance, and the secret ‘secret’ assigned that will be used on both the PINsafe server and VPN RADIUS configuration.
You can specify an EAP protocol if required, others CHAP, PAP and MSCHAP will be supported. All users will be able to authenticate via this NAS unless to restrict authentication to a specific repository group.
Enabling Session creation with username
The PINsafe server can be configured to return an image stream containing a TURing image by presenting the username via the XML API or the SCImage servlet.
Go to the ‘Single Channel’ Admin page and set ‘Allow Session creation with Username:’ to YES.
To test your configuration you can use the following URL using a valid PINsafe username:
Appliance
https://PINsafe_server_IP:8443/proxy/SCImage?username=testuser
Software install
http://PINsafe_server_IP:8080/pinsafe/SCImage?username=testuser
For further information see Single Channel How To Guide
Setting up PINsafe Dual Channel Transports
Enabling RADIUS Authentication in Connectra
You need to configure PINsafe as an authentication server on the Connectra appliance.
- Open Smart Dashboard and log in.
- Under Network and Resources -> Hosts, configure the PINsafe server as a new host. You just need to give it a name and add the IP address.
- Under Users and Authentication -> Authentication -> RADIUS Servers, create a new RADIUS server. Select PINsafe as the host, “NEW-RADIUS” as the service, and enter the shared secret you previously set on the PINsafe server. You can select RADIUS version 1 or 2, and PAP or MSChap as the protocol: PINsafe will detect these protocols automatically.
You will also need to configure authentication for the relevant users. The simplest way to handle this is to create a new user group containing all users that will be using PINsafe (if you do not already have one):
- Go to Users and Authentication -> Internal Users -> User Groups.
- Then under User Templates, create a new template, or modify an existing one, containing the relevant group, and set the authentication to RADIUS, using the PINsafe server.
Don’t forget to save and install the policy once you have made all relevant changes.
Customising the Connectra Login Page
NOTE: it is assumed here that you are familiar with Unix commands, in particular with the vi editor, as you will need to edit a file.
NOTE: There is a ExampleLoginPage.php available which is the Login.php file with the modifications already included. This can be used for reference but may not be 100% suitable for specific installations and different Connectra versions.
To modify the Connectra login page, you need to log into the console, either physically on the appliance, or using a SSH terminal server such as Putty see PuTTY How To Guide. Switch into expert mode.
Change directory to /opt/CPcvpn-R66/phpincs (note: the exact directory name will vary depending on the Connectra revision number). Edit the file LoginPage.php.
First of all, search for the end of the page header, “</HEAD>”. There should be a “</script>” tag just before that. Insert the following just before the </script>:
function showTuring() {
turing = document.getElementById("imgTuring");
username = document.getElementById("userName").value;
turing.src = "http://192.168.78.103:8443/proxy/SCImage?username=" +username + "&random=" + Math.floor(Math.random()*100000);
turingRow = turing.parentNode.parentNode;
turingRow.style.display = "";
}
Now locate the input field with ID “userName”.
Add the following attribute to the field: onblur="showTuring();". The complete line should appear as follows:
<input type="text" id="userName" name="userName" class="inputText" autocomplete="off" <?=$User_Read_Only?> style="<?=$User_Style_Var?>" value="<?=$userName?>" onblur="showTuring();">
Look for the second <tr> tag after this field. Insert the following before this tag:
<tr style="display:none"><td colspan="2" align="center"> <input type="button" value="<?= TURING ?>" onclick="showTuring();"><br> <img src="" id="imgTuring" alt="<?= TURING ?>"> </td></tr>
You can now save the file.
If you want to change the prompt for the password (e.g to prompt for One-Time Code), or to change the text displayed on the button that requests a new TURing image, you will need to edit the file Strings.en_US.php, or the appropriate Strings file for your local language (type ls Strings* to see what files are available). Locate the string “PASSWORD”, and change the text within the quotes to the right of the => symbol to “OTC”, or whatever you prefer.
To set the text displayed on the TURing image button, insert a new line after this line, with the following content:
"TURING" => "TURing",
You can replace the right-hand text with anything you prefer. Don’t forget the comma at the end of the line.
Testing
With the changes in place, when a user accesses the Connectra portal the will see the modified login page.
After entering their username and either tabbing away from the username field of clicking the TURing button they will be presented with a TURing image. The PINsafe log should record a session start for that user.
The user can then use their PIN to extract their one-time code and enter this to authenticate. The PINsafe log show record the RADIUS dialogue associated with this authentication.
Troubleshooting
Check the PINsafe logs for Turing images and RADIUS requests.
Image from PINsafe server absent
