topic Re: remote client VPN authentication with Certificate in SASE and Remote Access

remote client VPN authentication with Certificate

ovidiu_catrina — Tue, 27 Mar 2018 14:57:21 GMT

at the moment we have the standard remote vpn for our users with office mode, authentication done through LDAP and MFA, which works perfectly, no complaints here until so far

but i want to start implement certificate based authentication on the remote vpn clients.

the CA is internal, our Active Directory will issue the certificates for the users.

i have an NPS server(RADIUS), policy is created, although could be wrongly configured.

i have the RADIUS server defined on the management.

but i am missing 2 steps :

1st : how do i enforce/allow users to user to use the certificate to authenticate.

2nd : could someone provide some step-by-step or a policy configuration for the NPs server

at the moment i have this :

and of course the firewalls defined as clients on the radius server.

Regards

Re: remote client VPN authentication with Certificate

Gaurav_Pandya — Tue, 27 Mar 2018 18:03:47 GMT

Hi,

During new Site creation at Remote VPN, You can select Certificate as authentication method.

Also there are option that which type of certificate you will use.

Re: remote client VPN authentication with Certificate

ovidiu_catrina — Wed, 28 Mar 2018 07:18:45 GMT

thanks for the feedback.

that is something i saw and tried it, but fails the authentication.

looks like i am missing more configuration the checkpoint and i am looking for a step-by-step how to enable it.

Regards

Re: remote client VPN authentication with Certificate

G_W_Albrecht — Wed, 28 Mar 2018 13:52:54 GMT

There is the R80.10 RemoteAccess VPN AdminGuide and the R77 VPN Admin Guide where the needed steps can be found.

Re: remote client VPN authentication with Certificate

ovidiu_catrina — Wed, 11 Apr 2018 13:35:08 GMT

i spent some time reading the manual and something is not clear.

i did the following, but something is missing :

i created a user_template

but here is what i am missing, on the ldap account unit i have no idea what option to chose , nothing is related to the certificates, just the radius, but i dont want to have a radius to do the certificate authentication.

Re: remote client VPN authentication with Certificate

G_W_Albrecht — Wed, 11 Apr 2018 13:53:41 GMT

Then i would follow Using Certificates Using Third Party PKI in Remote Access VPN Administration Guide R80.10 p.43f !

Re: remote client VPN authentication with Certificate

ovidiu_catrina — Wed, 11 Apr 2018 14:08:29 GMT

i already read that part, and what is says is to create local users on the dashboard and this is not manageable.

as for the normal username+password authentication you do not need to create local users on the dashboard, but the firewall passes the authentication to the LDAP server, there should be a similar option for the certificates.

Configuring Third-Party PKI Certificates To use a third-party PKI solution:

1. In SmartConsole, from the Objects Bar click Users > Users.

2. Create a new user or double-click an existing user. The User Properties window opens.

3. From the navigation tree, click Encryption.

4. Click Edit. The IKE Phase 2 Properties window opens.

5. Click the Authentication tab and select Public key.

6. Define the third party Certificate Authority as an object in SmartDashboard.

9. Transfer the certificate to the user.

please provide a proper answer, i read the manual from top to bottom and i am missing just one configuration which i am not able to find it.

sending me all the time to the admin manual doesn't help.

Regards

Re: remote client VPN authentication with Certificate

G_W_Albrecht — Thu, 12 Apr 2018 08:12:33 GMT

Sorry - look here:

User Authentication Options

Select the scheme to be used to authenticate users defined with this template. These schemes are used in authentication rules and in Remote Access (when the user is not identified using a certificate or an IKE preshared secret).

Select one of these authentication methods:

Undefined - means that either no authentication is performed and access is always denied, or IKE authentication is used, as defined in the Encryption tab.

Re: remote client VPN authentication with Certificate

ovidiu_catrina — Thu, 12 Apr 2018 08:40:19 GMT

i had it set up as Undefined on the authentication method

and then on the encryption i have this.

for some reason it always the same error, i masked the username

Category: Session
Event Type: Login
Name: Endpoint Security VPN
Version: E80.80
Build Number: 986005503
User: ******@*****.com
Authentication Method: Certificate
Login Option: Personal Certificate
Failed Login Factor: 1

Data Protocol: IPSec
Status: Failure
Reason: DN ****@****.com unknown.

although i think the missconfig comes from here since it doesnt give a proper authentication scheme for certificates.

any idea ? what i should pick or change? is this config correct?

Re: remote client VPN authentication with Certificate

G_W_Albrecht — Thu, 12 Apr 2018 09:24:07 GMT

You have to add the users to a user group that is a participant in the RemoteAccess Community and add option Personal Certificate in GW > VPN clients > Authentication. Then you have to install databes and policy.

Re: remote client VPN authentication with Certificate

ovidiu_catrina — Thu, 12 Apr 2018 09:45:06 GMT

that is already done, and works for username+password.

is the authentication scheme correctly selected to allow certificates ? because as you can see i selected only the checkpoint password.

https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc‌ maybe you could give some hint ?

Re: remote client VPN authentication with Certificate

PhoneBoy — Thu, 12 Apr 2018 09:56:01 GMT

Did you follow the steps here?

LDAP users connecting from Check Point Capsule Connect / VPN client cannot authenticate using certificate

Re: remote client VPN authentication with Certificate

ovidiu_catrina — Thu, 12 Apr 2018 10:05:24 GMT

i would say i tried, but after so many tests i am not sure anymore

i will try again this afternoon.

thanks

Re: remote client VPN authentication with Certificate

ovidiu_catrina — Thu, 12 Apr 2018 16:16:37 GMT

just tried this option and still the same error.

Category: Session
Event Type: Login
Name: Endpoint Security VPN
Version: E80.80
Build Number: 986005503
User: *****@******.com
Authentication Method: Certificate
Login Option: Personal Certificate
Failed Login Factor: 1
Model: PC
OS Name: Windows
OS Version: 10
OS Edition: Professional
OS Build: 16299
OS Bits: 64bit
ID: 9240021C-799E-4DB0-A2CC-E7A23670C716
Re-authentication every:
Login Timestamp: 2018-04-12T16:15:21Z
IP Protocol: 6
Destination Port: 443
Data Protocol: IPSec
Status: Failure
Reason: DN ******@*****.com unknown.
Suppressed Logs: 0
Action: Failed Log In
Type: Log
Blade: Mobile Access
Origin: *********
Service: TCP/443
Product Family: Access
Marker: @A@@B@1523549079@C@2464621
Data Encryption: AES-256 + MD5
Severity: Informational
Rounded Sent Bytes: 0
Confidence Level: N/A
Rounded Bytes: 0
Rounded Received Bytes: 0
OS: Windows 10 Professional 64bit (build 16299)
Login Option Factors: Certificate

Re: remote client VPN authentication with Certificate

G_W_Albrecht — Fri, 13 Apr 2018 06:58:42 GMT

I would suggest to let TAC find what goes wrong here!

Re: remote client VPN authentication with Certificate

Juan_Concepcion — Mon, 16 Apr 2018 03:35:29 GMT

Re: remote client VPN authentication with Certificate

Shahar_Grober — Fri, 14 Sep 2018 18:28:11 GMT

Did anybody managed to solve this issue? I have the same issue here with the same log

It looks like something is missing with the authentication configuration but it is not stated in the R80.10 remote access documentation (or I missed it somehow)

Re: remote client VPN authentication with Certificate

G_W_Albrecht — Mon, 17 Sep 2018 07:15:45 GMT

I would still suggest to let TAC find what goes wrong here and post the result ! 😉

Re: remote client VPN authentication with Certificate

Shahar_Grober — Wed, 19 Sep 2018 13:48:42 GMT

After great remote session with Check Point Support we figured out that the microsoft CA has to be configured in SmartDashboard in addition to the LDAP server

Unlike Domain User authentication It is a must to configure the Microsoft CA in order to authenticate with a certificate.

The documentation is lacking and can definitely be improved since you need to search in 3 different locations (and in Check Mates) in order to figure out the complete configuration of this deployment

Re: remote client VPN authentication with Certificate

ovidiu_catrina — Wed, 19 Sep 2018 16:49:08 GMT

will you kind enough to share the details or the steps to proceed with the configuration ?

i really don't feel going through TAC for this, it should be documented since the config should be straight forward.

Regards