topic Re: Associating specific accessrole groups with specific vpn authentication in Firewall and Security Management

Associating specific accessrole groups with specific vpn authentication

the_rock — Wed, 09 Dec 2020 03:18:13 GMT

Hello everyone,

I really hope someone can tell me easy way to do this. For example, in Cisco or Fortigate, you can assign specific vpn groups to use authentication you want (say radius, aaa and so on), but on Check Point, I dont know whats best way of doing it, as customer does NOT want to change setting on authentication for vpn on gateway cluster to specific method. What they want to do is this:

Say they have accessrule group called citrix-users ONLY for citrix users and they want to associate that group with radius auth

then they may have tacasc accessrole and they want to associate it with tacacs auth when connecting to vpn site

Possible? I spoke to TAC about it and they did not sound confident at all how this is even supposed to work. we went through setting up user template and then creating ldap group to associate certain AD groups to it, but then its still not clear how to tie that into proper auth...its not clear at all.

If anyone has any insight, I would really appreciate it.

Tx!!

Re: Associating specific accessrole groups with specific vpn authentication

PhoneBoy — Wed, 09 Dec 2020 04:34:45 GMT

You should be able assign different users different forms of authentication…if users are locally defined.
Not sure how you can mix authentication schemes otherwise.

Re: Associating specific accessrole groups with specific vpn authentication

the_rock — Wed, 09 Dec 2020 19:50:50 GMT

Hey Dameon,

Thats not at all what customer wants...ok attached a screenshot of it in here. Actually what they would like is to have specific AD groups associated with specific authentication schemes and on gateway vpn auth tab, that does not even seems to be an option. I spoke to Tier 3 guy in dallas, but he does not seem to know if thats dosble and said would check with esc team. Screenshot attached. So how to associate groups with auth?? These are NOT local users, but AD ones.

Andy

Re: Associating specific accessrole groups with specific vpn authentication

PhoneBoy — Wed, 09 Dec 2020 20:48:08 GMT

You can define different authentication schemes but I’m pretty sure if the same username exists in, say, RADIUS and TACACS, there is no way to differentiate between the two.
The group resolution is usually done independently of the authentication (at least that’s how it works with Identity Awareness).
Sounds like an RFE to me.
@Royi_Priov

Re: Associating specific accessrole groups with specific vpn authentication

the_rock — Wed, 09 Dec 2020 21:00:07 GMT

Well, they would all be different groups on AD and no user would belong to 2 same groups, so its pretty shocking there would be no way on CP to do this...on Fortigate and Cisco is super easy.

Andy

Re: Associating specific accessrole groups with specific vpn authentication

PhoneBoy — Wed, 09 Dec 2020 22:22:55 GMT

You can certainly allow for different authentication methods as shown in the screenshot provided.
You can also provide access control based on different LDAP groups these users are in.
What does associating the LDAP group with a specific authentication method achieve exactly?

Re: Associating specific accessrole groups with specific vpn authentication

the_rock — Wed, 09 Dec 2020 22:33:54 GMT

What it achieves is that thats how they have it with Cisco and they dont wish to change it...they ONLY want certain groups of users say use radius auth and there are some groups where username/password is enough. When I spoke with TAC today, yes, we discussed the gateway auth option from screenshot I gave in my last response, but even there, there is no option anywhere to select specific group that can be tied to certain auth type. Last night, we did end up creating user template, which lets you add user group, which then can contain ldap group, that can be added to accessrole object...BUT, that still does not let us tie it to any type of auth on the gateway, very frustrating.

Anyway, tac guy said will check with escalations and let us know tomorrow. We may try set up another ldap group and test with different ad branch. Weird thing is, even for radius, you log in with username and password, but then when radius part comes in, it never shows proper options on the vpn client...

Andy

Re: Associating specific accessrole groups with specific vpn authentication

PhoneBoy — Wed, 09 Dec 2020 22:51:38 GMT

So...what's the end user experience on Cisco like with this?
Do they have to choose an authentication method on the client side?
What happens if they pick the "wrong" option (or is that even possible to do)?

The more you can tell about what the expected user experience and the WHY behind said experience (beyond "Cisco does it and they don't want to change") the better.

Re: Associating specific accessrole groups with specific vpn authentication

the_rock — Wed, 09 Dec 2020 23:04:33 GMT

Ok, I will explain...so you create user group, assign whatever AD users you want, associate auth method with that group, save config and thats it. Once rules are in place for vpn, users will be prompted to authenticate based on the method assigned...clear?

Re: Associating specific accessrole groups with specific vpn authentication

PhoneBoy — Thu, 10 Dec 2020 03:06:55 GMT

That only tells me how to configure it as an admin, not what an end user experiences when they try and log in.

When you define an LDAP AU, you can specify what authentication methods are allowed for all users under that AU.

I'm guessing you could create several AUs against the same LDAP servers with specific branches for each group you're interested in.
Each AU would specify different authentication schemes that could be used.
Not quite sure what the end user experience would be here, though.

I don't know for sure, but I suspect this is an RFE.

Re: Associating specific accessrole groups with specific vpn authentication

the_rock — Thu, 10 Dec 2020 03:11:28 GMT

Yea...funny enough, that option you showed does not do anything, sadly. Thats default setting and usually all those options are allowed anyway, so no need to change them. Really, what end users currently experience is they only have to choose auth method once on Cisco anyconnect (equal to CP vpn endpoint client) and thats it, no need to mess around after. Tac guy from Dallas said he will consult with escalation, because Im positive there is a way to do this on CP...EVERY major fw vendor has this ability and its so easy to do it.

Re: Associating specific accessrole groups with specific vpn authentication

PhoneBoy — Thu, 10 Dec 2020 03:19:47 GMT

The multiple authentication schemes dialog you showed earlier does make those authentication options available to the end user after you push policy.
However, there is no way to tie a specific authentication method to a user group.
If the ID is unique in LDAP and associated with that specific group, they'll have access regardless of how they authenticated.
If you want to provide different levels of access based on how they authenticate instead of or in addition to the LDAP group, pretty sure that is an RFE.

Re: Associating specific accessrole groups with specific vpn authentication

the_rock — Thu, 10 Dec 2020 03:25:06 GMT

If thats the case, I find that really surprising, if not shocking. If you take Cisco asa, super easy. fortigate (same thing), even palo alto has this ability and its very straight forward. Though, I will say we did make progress today and I may ask the customer tomorrow to try create another user template that includes specific ldap group (that can be created to reference specific AD group) and then add it to accessrole group and we will test more. Even tac said that seems to be the best way...so lets keep our fingers crossed 🙂

Re: Associating specific accessrole groups with specific vpn authentication

PhoneBoy — Thu, 10 Dec 2020 03:32:05 GMT

That does sound promising, keep me posted.

Re: Associating specific accessrole groups with specific vpn authentication

the_rock — Thu, 10 Dec 2020 03:46:44 GMT

You bet brother : ). In IT community, its important to share knowledge, regardless what vendor it is.

Andy

Re: Associating specific accessrole groups with specific vpn authentication

PhoneBoy — Thu, 10 Dec 2020 04:31:02 GMT

You can make a pretty decent career out of sharing information 😉

Re: Associating specific accessrole groups with specific vpn authentication

the_rock — Thu, 10 Dec 2020 04:31:46 GMT

Of course 😉