topic Re: ipassignment.conf and LDAP grop in Firewall and Security Management

ipassignment.conf and LDAP grop

Joe_Kanaszka — Thu, 04 Jan 2024 22:29:54 GMT

Hello again.

Continuation of a previous post but the old post is marked as resolved (because it was) to allow contributor to receive credit. 😊

In a nutshell - we need to limit access to a network host to a small group of 5 individuals. The solution has to work with NAT (Identity Awareness is out as it doesn't work with NAT). This solution will be used for WFH users - the current OM IP pool is Nat'd to the internal interface of the Check Point.

My solution:

I'd like to configure the ipassignment.conf file to assign a range of IPs to my already existing AD group - then limit access to the resource based on the static IPs. (This will be used for WFH users).

What I've done:

Created a draft of my ipassignment.conf file

Here is how my ipassignment.conf file will look referencing SK: sk33422

#Gateway Type IP Address User Name

==================================================

IP of gateway range 10.0.0.0-10.0.0.5 Test Group (AD group)

Created an LDAP Account Unit that points directly to my AD group - so the UID is my group.
Trying to create an LDAP Group Object that the ipassignment.conf file can reference. The Group's scope is the first option - "All Account-Unit's Users"

Questions:

Unfortunately, my AD security group contains a space in the name. When I try and create the LDAP group, I'm receiving the error "Object name contains space..." How can I get around this?
Will this plan work? 🙄

Thank you, and as always - any help is always much appreciated!

Best Regards,

Joe

Re: ipassignment.conf and LDAP grop

PhoneBoy — Thu, 04 Jan 2024 22:42:52 GMT

Even if you could get past the UI validation in SmartConsole, I suspect that space will be problematic in ipassignment.conf as well.
Change the name to something without a space.
Otherwise, this should work.

Re: ipassignment.conf and LDAP grop

Joe_Kanaszka — Thu, 04 Jan 2024 23:09:10 GMT

Ok cool. Thank you!

Re: ipassignment.conf and LDAP grop

DAKad — Tue, 24 Sep 2024 08:11:29 GMT

Hello,

we have configured the file for an LDAP user but the user is not receiving the ip.

as you can see on both screenshots, we pushed the file on both gateways of the cluster

Re: ipassignment.conf and LDAP grop

PhoneBoy — Wed, 25 Sep 2024 17:08:36 GMT

Please refer to https://support.checkpoint.com/results/sk/sk33422 for what exactly to use based on how the user authenticates.

Re: ipassignment.conf and LDAP grop

DAKad — Wed, 25 Sep 2024 17:22:19 GMT

Hello PhoneBoy,

see the screenshot of the line added at the end of the file.

user log to the vpn through LDAP with the AD account , his name is on capital letter from active directory but when he wants to connecte on the VPN client, he use small letter like i wrote on the file and it works but still taking the ip from the pool instead of the ipassignment file

Also after checking with vpn ipafile_check $FWDIR/conf/ipassignment.con detail , i get the output on the second screenshot

Re: ipassignment.conf and LDAP grop

PhoneBoy — Wed, 25 Sep 2024 17:34:53 GMT

It's user/password authentication, right?
What if you put it in as it is in AD (i.e. with a Capital)?
If this doesn't work, suggest involving TAC.