topic Re: Choose the Machine Authentication Cetificate in SASE and Remote Access

Choose the Machine Authentication Cetificate

MasterSomy — Wed, 19 Feb 2020 13:10:09 GMT

Hi,

We wanted to test the new Machine Authentication Feature of the Windows VPN Clients.
we are currently facing the problem that we get one Certificate enrolled by default by our AD and we have the certificate to authenticate our Client. The Problem is the VPN Client tries to use the auto enrolled one, but it doesn't work. If we delete it is functioning.

Is there a method to choose witch one will be used?

Re: Choose the Machine Authentication Cetificate

PhoneBoy — Tue, 25 Feb 2020 23:19:57 GMT

I checked with the relevant R&D owners.
The certificate that is used is the one that has the latest "Not After (Date)."
There isn't a way to choose it otherwise.

Re: Choose the Machine Authentication Cetificate

MasterSomy — Wed, 26 Feb 2020 07:37:28 GMT

Thank you.
That is unfortunate it would be great when we had the option to do that or at least Choose from which CA it will be used so we could guaranty that it would use the right one.

Re: Choose the Machine Authentication Cetificate

Milan_Jovanovic — Wed, 21 Oct 2020 10:44:05 GMT

Hi PhoneBoy,

Regarding this solution you described Machine Cert I have few questions:

When we implement Machine Cert is it possible at same time for some LDAP AD users for example in specific group or OU to use just AD user pass authentication without Machine Cert?

When we implement Machine Cert are we able to authenticate with mobile device (Android,IOS etc) with endpoint client using same AD user for which is mandatory machine cert?

When we use AD + machine cert auth is it possible in same time for some users to use Local defined in SMS user+cert+pass endpoint authentication?

If answers are yes on this questions, can all of this function in same time?

Re: Choose the Machine Authentication Cetificate

AndreiR — Thu, 22 Oct 2020 05:27:10 GMT

Hi @Milan_Jovanovic ,

It is not possible to exclude usage of machine certificate for some group of users.

Two more your questions require clarification. Please describe what you would like to use in both cases.

Re: Choose the Machine Authentication Cetificate

Milan_Jovanovic — Thu, 22 Oct 2020 06:04:26 GMT

Thank you AndreiR.

Second question is about how machine certificate work with mobile devices Android IOS which are not domain computers. Can we authenticate on that devices with AD user?

Third question when we setup and use machine authentication for our LDAP users can we for external people that don't have AD account on SMS create local users with pass and cert and use them for authentication for endpoint vpn access?

Re: Choose the Machine Authentication Cetificate

TheRealDiZ — Fri, 11 Dec 2020 09:15:44 GMT

Hey Guys,

If the AD is actually the CA for the machine, in which way do you have to set authentincation on the Check Point VPN Client?

If you choose "certificate" as method when you create the site, the client will ask you to import a certificate.

Is there anyway to configure it smoothly without importing the certificate?

The certificate (since the machine is part of the domain) should be already on the machine that is trying to connect in VPN right?

Thanks in advance for your reply! 🙂