https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229981#M2981 <P>But is this branch filter about LDAP branches? My understanding is that the root CA does not have visibility of LDAP branches.</P> Thu, 17 Oct 2024 09:45:17 GMT Daniel_3 2024-10-17T09:45:17Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229808#M2973 <P>Hello,</P><P>I am currently implementing remote VPN with machine authentication for our company and our customers and partners.</P><P>I configured VPN for ourself, an IT provider, and one of our customers. Each has its own VPN gateway.</P><P>For the VPN authentication we use Active Directory. Provider and customer have their own AD, completely seperated.</P><P>For the machine certificates we used seperate sub CAs but both are using the same root CA.</P><P>I also got a user in our customers AD domain since I am one of the firewall admins and we have to do basic login tests after implementing changes which will affect remote VPN. We also use a seperate test client for that which is connected to our customers AD.</P><P>Now the issue is, that that my companys client (which is not part of the customers AD) is also able to login to the customers VPN gateway even though my machine name is not registered in the customers AD. So the machine authentication should fail.</P><P>There is no machine identity in the logs and it also shows the different AD name but the login is still successful.</P><P>My guess is, that this is possible because both are using the same root CA.</P><P>I tried to use the branch filter in the root CA settings in SmartConsole but I could not figure out the correct syntax and there seems to be no configuration examples online.</P><P>Did anyone use this filter already and got it to work? Or is there another solution for this issue?</P><P>We are using R81.20 on firewalls and the client version is E88.30 and E88.70 (Windows and MacOS clients).</P> Tue, 15 Oct 2024 19:49:22 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229808#M2973 Daniel_3 2024-10-15T19:49:22Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229821#M2974 <P>Are all the gateways managed by the same management or different ones?</P> Tue, 15 Oct 2024 20:45:12 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229821#M2974 PhoneBoy 2024-10-15T20:45:12Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229823#M2975 <P>They are managed by separate management servers.</P> Tue, 15 Oct 2024 20:46:40 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229823#M2975 Daniel_3 2024-10-15T20:46:40Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229825#M2976 <P>I assume in each management server, the external CA is imported.<BR />It looks like this is where you would specify the relevant DN for that organization's certificates.<BR />I assume each organization (with a different SubCA) has a unique DN for its certificates.<BR />Could be wrong about that, as this is not a configuration I've seen before.</P> <P><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/28087i1435FDC3F235A28D/image-size/medium?v=v2&amp;px=400" role="button" title="image.png" alt="image.png" /></span></P> Tue, 15 Oct 2024 20:57:57 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229825#M2976 PhoneBoy 2024-10-15T20:57:57Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229836#M2977 <P>Yes, that is the exact setting I played around with. But I was not able to figure out the syntax to filter out the machines which are not part of the corresponding domain. Login was either still possible for all clients or for none.</P> Tue, 15 Oct 2024 21:42:40 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229836#M2977 Daniel_3 2024-10-15T21:42:40Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229838#M2978 <P>Have you reviewed the certificates issued by the various sites to see their complete DN?<BR />What should be in this field is a partial DN, and it should be unique to the site in question.&nbsp;</P> Tue, 15 Oct 2024 21:54:11 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229838#M2978 PhoneBoy 2024-10-15T21:54:11Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229877#M2979 <P>I already tried the following:</P><P>CN=domain.net</P><P>CN=IntermediateCA</P><P>CN=IssuingCA</P><P>For the two CAs I tried both, the partial DN and the full DN.</P><P>But I keep getting the error "Name constraints checking failed." on the client.</P> Wed, 16 Oct 2024 08:03:09 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229877#M2979 Daniel_3 2024-10-16T08:03:09Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229908#M2980 <P>Have you tried using ldapsearch on the CLI?<BR />Perhaps that will provide a bit more visibility into what’s going on (and possibly finding the correct syntax).</P> Wed, 16 Oct 2024 13:25:05 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229908#M2980 PhoneBoy 2024-10-16T13:25:05Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229981#M2981 <P>But is this branch filter about LDAP branches? My understanding is that the root CA does not have visibility of LDAP branches.</P> Thu, 17 Oct 2024 09:45:17 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/229981#M2981 Daniel_3 2024-10-17T09:45:17Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/230033#M2982 <P>The CA does not, correct, but the certificates themselves have an LDAP path associated with them.</P> Thu, 17 Oct 2024 15:42:35 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/230033#M2982 PhoneBoy 2024-10-17T15:42:35Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/230119#M2983 <P>I tried several variations of the LDAP paths now, but still no luck.</P> Fri, 18 Oct 2024 10:13:20 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/230119#M2983 Daniel_3 2024-10-18T10:13:20Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/230173#M2984 <P>Unfortunately, the only suggestion I can offer here is to open a TAC case: <A href="https://help.checkpoint.com" target="_blank">https://help.checkpoint.com</A>&nbsp;</P> Fri, 18 Oct 2024 18:22:28 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/230173#M2984 PhoneBoy 2024-10-18T18:22:28Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/230743#M2985 <P>Ok, yes I have a TAC case open now. Thanks for you efforts to help!<BR />I will update this thread when I found a solution.</P> Thu, 24 Oct 2024 20:04:43 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-VPN-Machine-Authentication/m-p/230743#M2985 Daniel_3 2024-10-24T20:04:43Z