topic Re: Machine cert authentication and local computer certificate store in Firewall and Security Management

Machine cert authentication and local computer certificate store

flachance — Tue, 16 Apr 2024 14:34:59 GMT

Hi,

We’re trying to test Remote VPN access with machine cert authentication. It is not clear to me which authentication to select on the client when creating the site.

I selected Certificate – CAPI but when trying to connect it offers a choice of certificate it finds in the Current user\Personal\Certificates

We’ve setup automatic cert enrollment for our machines but it puts the certificate in the Local computer\Personal\Certificate

I feel like I’m missing something here. How do you get the CheckPoint client to look for a certificate in the Local computer certificate store?

Thanks

Francis

Re: Machine cert authentication and local computer certificate store

PhoneBoy — Tue, 16 Apr 2024 17:05:48 GMT

What version of client?
What version/JHF of gateway?
I'm assuming you've followed all the instructions here: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Machine-Certificate.htm

Re: Machine cert authentication and local computer certificate store

the_rock — Tue, 16 Apr 2024 18:55:42 GMT

Had similar issue recently with a customer and TAC fixed it with below 2 SKs, might be worth checking and to answer your question, you most likely select certificate auth on the client, its one called personal cert I believe

Check out answer I gave in below post.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Machine-certificate-auth/m-p/210437

Re: Machine cert authentication and local computer certificate store

flachance — Wed, 17 Apr 2024 12:08:37 GMT

client is 87.50. Gateway is 81.20 JHF take 53. Yes we've followed the guide and the relevant part of the client guide.

I think we might not be understanding the authentication part correctly. Can you establish VPN with only the machine cert to authenticate or do you also require user authentication?

Re: Machine cert authentication and local computer certificate store

the_rock — Wed, 17 Apr 2024 12:32:23 GMT

I believe it is possible with just machine cert, but not 100% certain, you may want to confirm with TAC.

Re: Machine cert authentication and local computer certificate store

emmap — Wed, 17 Apr 2024 13:30:33 GMT

You can, the instructions are in the link that Phoneboy has there and then the Remote Access Guide that is linked from there.

https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN-for-Win/Configuring-Machine-Authentication-on-Client.htm?tocpath=Configuring%20Client%20Features%7CMachine%20Authentication%7C_____3

Re: Machine cert authentication and local computer certificate store

flachance — Wed, 17 Apr 2024 14:58:09 GMT

I did use the instructions on these two links.

Something is missing or we’re missing something

From https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Machine-Certificate.htm

The machine must be defined on a Microsoft AD server – Check

The Subject field of a machine certificate must not be empty – Check

The hostname must be the first value – Check

Machine-only authenticated tunnels require the Security Gateway authentication method to be “Defined on user record (Legacy authentication)” – Check

Adding the root CA on the LDAP Server to the Trusted CA in Management – Check

Creating LDAP Account Unit – Check

Setting up the Authentication enforcement as When Available – Check

From https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN-for-Win/Configuring-Machine-Authentication-on-Client.htm?tocpath=Configuring%20Client%20Features%7CMachine%20Authentication%7C_____3

On the client. Trac.defaults has

Enable_machine_auth set to true

Machine_tunnel_site set to the created site name

Machine_tunnel_before_logon set to true

Machine_tunnel_after_logon set to false

As noted in the instructions the machine site was created before but there is no indications of the settings to use. We picked Certificate CAPI. When trying to connect, it offers certificates found in the user certificate store but the machine certificate is in the Local computer certificate store.

How do we get the client to use the certificate in the Local Computer certificate store?

Re: Machine cert authentication and local computer certificate store

the_rock — Wed, 17 Apr 2024 15:12:04 GMT

Did you check 2 SKs I mentioned in the link from one of my posts? Not sure if they might be relevant in your case, but if not, then I would open TAC case to see what might be missing.

Best,

Andy

Re: Machine cert authentication and local computer certificate store

flachance — Wed, 17 Apr 2024 15:14:10 GMT

I did. But I'm not even at the point where I'm actually attempting to connect 😆

Re: Machine cert authentication and local computer certificate store

the_rock — Wed, 17 Apr 2024 15:15:18 GMT

Ok lol

In that case, I would open TAC ticket and see what gives.

Andy

Re: Machine cert authentication and local computer certificate store

PhoneBoy — Wed, 17 Apr 2024 15:45:45 GMT

Machine certificates are used only when a user is not logged in (i.e. Windows login screen).
This is mentioned in the documentation I linked previously.

As such, this is operating as expected.

Re: Machine cert authentication and local computer certificate store

flachance — Wed, 17 Apr 2024 15:55:18 GMT

And I am now even more confused 😆 Or I just can't read properly. This is what I'm seeing in that doc.

"Machine-only authentication - Authenticate with a machine certificate only. This mode is available before and after the user logs in to Windows"

Re: Machine cert authentication and local computer certificate store

PhoneBoy — Wed, 17 Apr 2024 17:34:07 GMT

Clearly I misread the docs 🙂
However, you may need to adjust some settings here: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN-for-Win/Configuring-Machine-Authentication-on-Client.htm?tocpath=Configuring%20Client%20Features%7CMachine%20Authentication%7C_____3
Specifically setting machine_tunnel_after_logon to true.

Otherwise, you may want to get the TAC involved: https://help.checkpoint.com