topic Re: Adding certificate requirement on RAVPN for MAC's in SASE and Remote Access

Adding certificate requirement on RAVPN for MAC's

cdooer — Wed, 30 Oct 2024 12:53:51 GMT

Hey everyone. We recently rolled out certificate verification for Remote Access VPN login for an added layer of security, and it's working great...at least for Windows machines. Unfortunately MAC's can't connect, which isn't a huge deal since they represent a very small number in our environment. The MAC's have our root and intermediate certs installed in the System section of the Keychain app, but I don't believe that actually have a machine cert installed on them. Anyone know if the machine cert is required on the MAC, or should having the root and intermediate be enough? I'm not familiar with MAC's at all, has anyone else done this?

Re: Adding certificate requirement on RAVPN for MAC's

CaseyB — Wed, 30 Oct 2024 13:22:33 GMT

Generally speaking, if you are doing certificate-based authentication against a specific certificate authority (CA), the device connecting would need to have a certificate from that specific CA in order to get authenticated.

While I have not configured machine authentication on a Check Point, I would imagine the MAC in question would require a valid machine certificate from your Windows CA.

How do you get one? You can try navigating to your CA and requesting one (https://<YourWindowsCA>/certsrv/), or this Apple article might still be valid (https://support.apple.com/en-sg/101196). Other material I see on this references using MDM to accomplish this task.

Re: Adding certificate requirement on RAVPN for MAC's

PhoneBoy — Wed, 30 Oct 2024 21:23:19 GMT

If you are using Machine Certificates for authentication, then you have to deploy certificates to the Mac also.