topic Re: How to validate machine authentication? in SASE and Remote Access

How to validate machine authentication?

LazarusG — Mon, 09 Jan 2023 12:48:28 GMT

I have configured it in my lab using the AD CA.

I think its working, but how to validate?

I have the following log card - is this the only method? Or is there a CLI command?

Id: c0a8c50a-b607-7836-63bb-f01100000000
Marker: @A@@B@1673222400@C@2394
Log Server Origin: 192.168.197.10
Time: 2023-01-09T10:44:33Z
Id Generated By Indexer:false
First: false
Sequencenum: 2
Client Name: Active Directory Query
Product Version: R81.10
Domain Name: lazarus.com
Source: 192.168.197.100
Endpoint IP: 192.168.197.100
Authentication Status: Successful Login
Identity Source: AD Query
Session ID: d1b85d8a
Source Machine Name: win10domain
Source Machine Group: All Machines; ad_group_machine_auth
Authentication Method: Machine Authentication (Active Directory)
Identity Type: machine
Roles: machine
Last Update Time: 2023-01-09T10:44:33Z
Action: Log In
Type: Log
Blade: Identity Awareness
Origin: r81_10_mgmt
Product Family: Network
Logid: 131073
Description: Successful Login: Machine Authentication (Active Directory)

I can see from the endpoint client that it is connected to the VPN Active Site and Danny's one liner shows 1 OM address consumed;

REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 0 (Peak: 1)
Capsule/Endpoint VPN Users : 0 (Peak: 0) using Visitor Mode: 0
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 0 (Peak: 0)
L2TP Users : 0 (Peak: 0)
SNX Users : 0 (Peak: 0)

LICENSES
----------------------------------------------------------------------
SecuRemote Users : 10000
Endpoint Connect Users : 0
Mobile Access Users : 100
SNX Users : 50

I dont see any users or tunnels under Smartview Monitor (possibly as Im enforcing machine auth only?);

Are there any other cli or gui validation methods?

Thanks in advance.

Re: How to validate machine authentication?

PhoneBoy — Tue, 10 Jan 2023 00:28:05 GMT

Pretty sure you wouldn't get an Office Mode address if you weren't successfully authenticated.
Did you initiate any traffic into the encryption domain?

Re: How to validate machine authentication?

the_rock — Tue, 10 Jan 2023 01:13:36 GMT

Phoneboy makes a good point, try send some traffic to enc domain and see.

Re: How to validate machine authentication?

Howard_Gyton — Wed, 25 Jan 2023 16:01:48 GMT

We have this working on Windows for both internal, and VPN connected traffic. It was always working for internal traffic,. but to get it to work for VPN we had to make a couple of changes.

In the Access Role, we had tried using built-in "Domain Computers" group. When we changed this to a user made security group, and populated that group with our test machines, rules using an Access Role with machine Machine Auth. started working. Up to that point it probably always had been, but we couldn't tell because the test rule was not used.

I believe the reason why we could tell this was the case, and simultaneously being able to tell that machine auth. was indeed working was to look at one of the "Identity Awareness" records, and looking for the "Source Machine Group" section. I don't think this exists for IA records where machine auth. doesn't occur.

We also inferred from this record that the reason why we thought that machine auth. was not working over VPN was because of the "Domain Computers" group never appeared in "Source Machine Group", therefore our test rules were never used as the traffic did not match the access role. You can see below that only "All Machines" appears, not "Domain Computers". Changing the access role to use the second of the two AD groups listed below worked for our test rule, adding a second indicator that machine auth. was working.