topic Re: Identity Awareness and smart cards in General Topics

Identity Awareness and smart cards

Oussama_Kadim1 — Mon, 27 Aug 2018 09:39:40 GMT

Dear All,

I need to implement Identity Awareness on checkpoint R77.30 for a client. The client would like to use smart cards to authenticate users on the GW. (Smart cards contain SSL certificate and are already used to authenticate users on the network and to unlock their PCs).

Could you please tell me if there is any documentation of how to implement IDawareness based on smart cards on checkpoint?

Regards.

identity awareness‌ identity agent‌ authentication‌ #smart card

Re: Identity Awareness and smart cards

G_W_Albrecht — Mon, 27 Aug 2018 11:01:47 GMT

According to sk86441, Identity Awareness gets identities from these identity sources. You must enable them on the Gateway, from the Identity Awareness page of the Gateway object:

Active Directory (AD) Query
Browser-Based Authentication
Identity Agents (installed on the Endpoint)
Terminal Servers Agents
Radius Accounting
Remote Access
Identity Collector
Web API

Re: Identity Awareness and smart cards

_Val_ — Mon, 27 Aug 2018 11:06:01 GMT

Any means of authentication against AD should work for you, if you are using AD Query and/or Identity Collectors.

Please elaborate of the exact scenario. It is unclear if you mean "on the PC" auth or a direct auth on the GW. If latter, please tell us how you see it.

Re: Identity Awareness and smart cards

Oussama_Kadim1 — Mon, 27 Aug 2018 12:11:04 GMT

Hello,

Currently users use the smart card to authenticate themselves on their workstations.
Once authenticated, users access the company network.

Access threading between users and applications is done via checkpoints, and this filtering is based only on source/destination IPs and the tcp/Udp port.

We wish then to put more security and traceability by setting up the blade IDawareness.

The customer does not wish to use AD query, Log collector etc., asked me to do a study on the possibility to use the smart card and to use the certificate it contains in order to identify users and use access control type filtering.

Regards.

Re: Identity Awareness and smart cards

_Val_ — Mon, 27 Aug 2018 12:22:22 GMT

Identity Awareness uses associations of User Identity (combination of user auth details with some sort of authentication techniques, such as AS, LDAP, etc and machine identity for managed PCs) and IP associated with the identified endpoint. FW uses IP to enforced rules associated with User Roles.

I suggest you to look into sk86441 for the best scenario.