Checkpoint Integration

From Swivel Knowledgebase
Revision as of 05:39, 11 April 2017 by NTeixeira (talk | contribs) (Sentry integration with Checkpoint R 77.30)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


PINsafe to Checkpoint Gaia
Integration Notes


Overview

Swivel can provide strong and two factor authentication to the Checkpoint Gaia. This document outlines the details required to carry this out.


Baseline

Swivel 4.x

Checkpoint Gaia appliance version R77.30.


Prerequisites

Working Checkpoint, smart console

Swivel 4.x

Note that modifications to the Connectra login page will affect ALL users (but not the administration page).

Use of the TURing, Security String Index or SMS Confirmed message will require the use of a NAT.

When a Swivel appliance VIP is used, the real IP address should be used and not the VIP. For redundancy select Primary and Secondary RADIUS servers, see VIP on PINsafe Appliances.


Gaia Configuration

Enabling RADIUS Authentication in Gaia

You need to configure Swivel as an authentication server on the Gaia appliance.

  • Open Smart Dashboard and log in.
  • Under Network and Resources -> Hosts, configure the Swivel server as a new host. You just need to give it a name and add the IP address.
  • Under Users and Authentication -> Authentication -> RADIUS Servers, create a new RADIUS server. Select Swivel as the host, “NEW-RADIUS” as the service, and enter the shared secret you previously set on the Swivel server. You can select RADIUS version 1 or 2, and PAP or MSChap as the protocol: Swivel will detect these protocols automatically. Note: When a Swivel appliance VIP is used, the real IP address should be used and not the VIP. For redundancy select Primary and Secondary RADIUS servers, see VIP on PINsafe Appliances.

You will also need to configure authentication for the relevant users. The simplest way to handle this is to create a new user group containing all users that will be using Swivel (if you do not already have one):

  • Go to Users and Authentication -> Internal Users -> User Groups.
  • Then under User Templates, create a new template, or modify an existing one, containing the relevant group, and set the authentication to RADIUS, using the Swivel server.

Don’t forget to save and install the policy once you have made all relevant changes.

Customising the Gaia Login Page

NOTE: it is assumed here that you are familiar with Unix commands, in particular with the vi editor, as you will need to edit a file.

NOTE: There is an example LoginPage.php available which is the Login.php file with the modifications already included. This can be used for reference but may not be 100% suitable for specific installations and different Gaia versions.

Test the RADIUS authentication

At this stage it should be possible to authenticate by SMS, hardware Token, Mobile Phone Client and Taskbar to verify that the RADIUS authentication is working for users. Browse to the SSL VPN login page, and enter Username and if being used, the password. From the Swivel Administration console select User Administration and the required user then View Strings, and select an appropriate authentication string or OTC for the user. At the SSL VPN login enter the required OTC. Check the Swivel logs for a RADIUS success or rejected message. If no RADIUS message is seen, check that the Swivel RADIUS server is started and that the correct ports are being used.



CheckP1 r77.JPG

CheckP2 r77.JPG

CheckP3 r77.JPG

CheckP4 r77.JPG

CheckP5 r77.JPG

CheckP6 r77.JPG

CheckP10 r77.JPG

CheckP11 r77.JPG

CheckP12 r77.JPG


Swivel Configuration

Configuring the RADIUS server

On the Swivel Administration console configure the RADIUS Server and NAS, see RADIUS Configuration


Enabling Session creation with username

To allow the TURing image, Pinpad and other single channel images, under Server/Single Channel set Allow session request by username to Yes.


Setting up Swivel Dual Channel Transports

See Transport Configuration

CheckP7 r77.JPG

CheckP8 r77.JPG

CheckP9 r77.JPG


Testing

With the changes in place, when a user accesses the Gaia portal the will see the modified login page.


CheckP15 r77 login.png


After entering their username and either tabbing away from the username field of clicking the TURing button they will be presented with a TURing image. The PINsafe log should record a session start for that user.


The user can then use their PIN to extract their one-time code and enter this to authenticate. The PINsafe log show record the RADIUS dialogue associated with this authentication.


Troubleshooting

Check the Swivel logs for Turing images and RADIUS requests.

CheckP14 r77.png


Known Issues and Limitations

The smart