topic Re: Certificate Authentication for Remote Access VPN user in SASE and Remote Access

Certificate Authentication for Remote Access VPN user

Nagaraja — Wed, 17 Mar 2021 16:54:03 GMT

Hi Team,

We have configured personal certificate as First factor and Radius as second factor authentication.

In personal certificate authentication, the firewall will check for the DN(correct me if I am wrong),can we make it to check only CN instead of DN.

Second query is that the user is having multiple certificates, so in that case how Check Point will match the exact certificate if there are two VPN certificate with two different templates?

Re: Certificate Authentication for Remote Access VPN user

the_rock — Wed, 17 Mar 2021 21:57:58 GMT

I believe it only checks DN. Your 2nd inquiry, are you referring to just a specific user cert here?

Andy

Re: Certificate Authentication for Remote Access VPN user

PhoneBoy — Wed, 17 Mar 2021 22:06:54 GMT

As far as I know, what we check in the cert is hard coded and can't be changed.
For the second question, it depends on what kind of a certificate we're talking about.

For a user-specific certificate, I believe the user chooses what certificate to offer.
For a machine certificate, we use the most recent one, I believe (and that's hardcoded).

Re: Certificate Authentication for Remote Access VPN user

Nagaraja — Thu, 18 Mar 2021 11:40:26 GMT

Yes, it is user certificate

Re: Certificate Authentication for Remote Access VPN user

Nagaraja — Thu, 18 Mar 2021 11:44:46 GMT

Hi Phoneboy,

Thanks for the information.

Is there any supporting document which says that we can't change the configuration to check CN instead of DN.

Any article which says that it will use the latest certificate if it is machine certificate.

We are using user based certificate

Re: Certificate Authentication for Remote Access VPN user

Nagaraja — Thu, 18 Mar 2021 14:09:45 GMT

Hi Phoneboy,

We are using user based certificate and there are multiple certificates(eg. includes expired cert aslo) in user machine.

Why Check Point is not able to pick the valid certificate ? User is not aware of the valid/expired certificates.

Re: Certificate Authentication for Remote Access VPN user

Nagaraja — Thu, 25 Mar 2021 10:32:19 GMT

Hi Phoneboy,

For a user-specific certificate, I believe the user chooses what certificate to offer - Can We configure this on gateway end to select the certificate automatically instead of user selecting the certificate manually.

Re: Certificate Authentication for Remote Access VPN user

Norbert_Bohusch — Thu, 25 Mar 2021 10:59:44 GMT

You can change what is taken from the certificate for matching it against the user base (LDAP or local).

Before R80.x it was a bit of a pain to configure through GuiDBedit, but since R80.10 you can select it when configuration Multiple Login Options:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-VPNRG/User-and-Client-Authentication.htm?tocpath=User%20and%20Client%20Authentication%20for%20Remote%20Access%7C_____0#Multiple_Login_Options_for_R80.xx_Gateways

See chapter: Certificate Parsing

Besides the "Fetch username from" setting as described, you will have to match the "search LDAP for", so it can find it.

So you can even go for CN, SAN.email, SAN.UPN, etc...

Btw. I configured this on R77.10 already but not that comfortable 😉

Re: Certificate Authentication for Remote Access VPN user

Nagaraja — Mon, 29 Mar 2021 09:30:48 GMT

Hi Norbert,

There is no option to configure only CN validation check.

We can configure DN.CN,it seems like this is 'AND' operation not 'OR' operation.

Attaching the screenshot for your reference.

Re: Certificate Authentication for Remote Access VPN user

Norbert_Bohusch — Tue, 30 Mar 2021 10:04:13 GMT

DN.CN means the CN part of the DN.

A certificate has always CN as part of DN... So exactly what you asked.

I don‘t understand the and/or part of your answer?!

Re: Certificate Authentication for Remote Access VPN user

Nagaraja — Tue, 30 Mar 2021 11:12:55 GMT

Hi Norbert,

We don't want to validate DN.

We need to validate only CN.

Is that possible ?

Re: Certificate Authentication for Remote Access VPN user

PhoneBoy — Tue, 30 Mar 2021 22:44:52 GMT

You can try Custom Fields, otherwise I assume this would be an RFE.

Re: Certificate Authentication for Remote Access VPN user

Norbert_Bohusch — Wed, 31 Mar 2021 05:55:45 GMT

I don't understand this question?

Can you post a sample Subject or SAN and tell me which part of it you want to use for finding the user in LDAP?

Re: Certificate Authentication for Remote Access VPN user

CheckPointerXL — Sun, 12 Mar 2023 21:08:19 GMT

Hello Phoneboy,

I have a question about user authentication when user/pass + user certificate is configured: did the user need to select the certificate every time he connects to vpn or the vpn client automatically recognize the certs from repository?

Thanks a lot

Re: Certificate Authentication for Remote Access VPN user

PhoneBoy — Mon, 13 Mar 2023 16:24:28 GMT

I believe the first time you need to specify the certificate.
After that, the certificate should be reused.