topic Re: Smart console AD authentication in Firewall and Security Management

SmartConsole AD Authentication

Blason_R — Thu, 04 Oct 2018 09:58:26 GMT

Hello folks,

I have integrated Active directory with Checkpoint R80.10. So can I use the active directory user log in for smart console. I do not have radius server. Please let me know Is it possible and how?

Re: Smart console AD authentication

Norbert_Bohusch — Thu, 04 Oct 2018 10:20:44 GMT

You could use Microsoft NPS (Network Policy Server = Radius Server) on either DC or separate Server.

Re: Smart console AD authentication

Carsten_Weber — Thu, 04 Oct 2018 13:22:53 GMT

Still not possible the way you want to do it.

See the documentation R80.10 Management Admin Guide, Section: Configuring Authentication Methods for Administrators

Same goes for R80.20 Management Admin Guide, Section: Configuring Authentication Methods for Administrators

I did hear that request/question from every customer who was thinking about moving away from local OS accounts. And it is the first question that comes to mind, always.

I do struggle to understand this approach, however. I reckon that there is a very good reason behind this, though. I'm sure. 100%. No doubt.

Could someone knowing(!) the reasons please elabotrate about this?

Maybe it is about, who has control over the authorizing system and it's security measures and options (2FA, etc.)

Re: Smart console AD authentication

SantiagoPlatero — Thu, 11 Oct 2018 18:28:58 GMT

Hi Blason R, I actually had implemented the option told by Norbert Bohusch in my environment:

a Windows Server with the NPS role installed on a separate server of the domain controller (I believe putting the NPS in a DC is a big NO-NO).

Also as Norbert says the NPS role is essentially a Radius server, so you have to follow the instructions for "Configuring a RADIUS Server for Administrators" from the Admin Guide:

- Create a Radius Server object with a shared secret on the SmartConsole

- In the NPS server create a Radius Client with the Management/SmartCenter IP address and obviously the same shared secret from above

- Create a Connection Policy with at least a condition (for example the NAS IPv4 address as the IP address of mgmt) with EAP-MSCHAP as authentication method

- Create a Network Policy with also at least the same condition above (but I also configure a condition for the users must be members of an specific AD group)

- Create an administrator on the SmartConsole with a username format like <AD domain>\<AD user> and Radius as authentication method

Then you can login using the <AD domain>\<AD user> as user name and your AD password as password.

Hope it helped

Re: SmartConsole AD Authentication

Smartin — Wed, 27 Nov 2019 19:55:53 GMT

how did you get smartconsole to log in with AD? I can't find a good guide

Re: SmartConsole AD Authentication

PhoneBoy — Wed, 27 Nov 2019 22:49:14 GMT

You cannot directly authenticate SmartConsole with AD users.
You can, however, use a RADIUS server that is tied into AD (like Microsoft NPS) as a go-between.
The answer I've marked in this thread as "correct" is a good place to start.

Re: SmartConsole AD Authentication

Chris_Atkinson — Thu, 28 Nov 2019 07:38:59 GMT

For reference this has been discussed previously in another thread, see here:

https://community.checkpoint.com/t5/General-Management-Topics/Multi-domain-Admin-user-authentication-to-AD/td-p/23420

Re: SmartConsole AD Authentication

Maarten_Sjouw — Thu, 28 Nov 2019 08:34:27 GMT

There is a way in R80.20 and R80.30, but you have to ask for the activation method, with you local SE's.

Re: SmartConsole AD Authentication

PhoneBoy — Fri, 05 Feb 2021 07:49:51 GMT

I just recently became aware of this SK that provides a mechanism for authenticating SmartConsole users with Active Directory.
It is supported from R80.20 JHF, but has some limitations, and thus won't be appropriate in every situation.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk145392

Re: SmartConsole AD Authentication

Maarten_Sjouw — Wed, 19 Oct 2022 08:55:13 GMT

To bring back an old post again, in R81 and R81.10 there seems to be a difference in the Kerberos part used underwater. Due to company policies we were forced to harden the AD server and ran into an issue when the following encryption types were disabled for the Kerberos authentication:

DES_CBC_CRC, DES_CBC_MD5, RC4_HMAC_MD5

Then we found that authentication to a R81 MDS was no longer working in a capture you see Kerberos errors with preauth_required, response_too_big and etype_nosupp

At the same time authenticating to a R81.10 MDS worked just fine, so it seems to be a version related.

Main question here: is there a way to force higher encryption types on the kerberos protocol?

Re: SmartConsole AD Authentication

JanVC — Fri, 17 Feb 2023 09:56:05 GMT

Perhaps you already solved it, but this link looks to be the solution

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk178069&partition=Basic&product=Quantum