topic Re: Identity Awareness and UPN suffix in Firewall and Security Management

Identity Awareness and UPN suffix

Sergo89 — Wed, 27 May 2020 04:47:31 GMT

Hi Guys

I have a problem, CP Identity Awareness doesnt want to recognize users, who logged in UPN credentials. For example, XYZ.local is a standard AD Domain, but also it has UPN suffix XYZ.com for communication with O365 etc. For windows login (and WLC with Radius) doesnt matter, it can be just username, or username@XYZ.local or username@XYZ.com. CheckPoint understand only username and username@XYZ.local.

I talked to CP support, they advised to create additional LDAP account unit (XYZ.com), but it doesnt's work, still same issues with name recognizing, and also Remote Access VPN stops (lose access to original domain XYZ.local)

do you have any ideas how to fix it?

thanks

Re: Identity Awareness and UPN suffix

Sergo89 — Wed, 27 May 2020 16:06:51 GMT

Short comment, username@XYZ.local also doesnt work, only clean username.....

Re: Identity Awareness and UPN suffix

PhoneBoy — Sun, 31 May 2020 04:24:57 GMT

Not sure, @Royi_Priov ?

Re: Identity Awareness and UPN suffix

Royi_Priov — Sun, 31 May 2020 08:58:26 GMT

Which identity sources are used?

Re: Identity Awareness and UPN suffix

Sergo89 — Sun, 31 May 2020 16:07:18 GMT

Hi Royi
Active Directory Query (LDAP), and RADIUS accounting turned on... WLC sends info to checkpoint, and i can recognize wireless users in CP logs
thanks

Re: Identity Awareness and UPN suffix

Chris_Atkinson — Mon, 01 Jun 2020 08:18:36 GMT

Some manipulation on the RADIUS side might help e.g.

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-crp-realm-names

Re: Identity Awareness and UPN suffix

Sergo89 — Mon, 01 Jun 2020 19:16:42 GMT

Thanks Chris, i think you right, need to try to cut suffix there.

Re: Identity Awareness and UPN suffix

Royi_Priov — Tue, 02 Jun 2020 06:44:23 GMT

I would also suggest using "alias feature" in Identity Collector (which can replace AD Query).
This feature allows to replace one domain with another - read more about it on our admin guide.

As for Identity Collector vs. AD Query differences - see sk108235.

Re: Identity Awareness and UPN suffix

Chris_Atkinson — Tue, 02 Jun 2020 07:26:19 GMT

Thanks @Royi_Priov

For completeness do we have any other options to manipulate the RADIUS data (realm matching) if it can't be done upstream?

Cheers,

Chris

Re: Identity Awareness and UPN suffix

Sergo89 — Tue, 02 Jun 2020 16:11:06 GMT

Thanks Royi, i will try. Just some questions, IA and Remote Access VPN use different ways for authorization? If i turn off AD Query in IA, VPN should continue works?

Re: Identity Awareness and UPN suffix

Sergo89 — Tue, 02 Jun 2020 19:53:07 GMT

Thanks guys, i didnt fix my problem, but found another solution.
Royi, i deployed IC, it works, but it not recognize Radius users, dont see them, anyway i kept it.
Chris, your solution works (i played with realm info), but looks like WLC send info to CheckPoint (and own log) before NPS (Radius) server, i can change realm info, but CHeckPoint sees original request with domain info.
I blocked any access to wireless with domain info, just username, or no wifi 🙂
Also opened Cisco's support case, not sure, maybe possible to cut realm info on WLC directly
thanks guys!