topic Re: Machine Authentication & Identity Awareness in SASE and Remote Access

Machine Authentication & Identity Awareness

stich86 — Sat, 09 Jan 2021 18:56:44 GMT

Hi guys,

we are trying to enable machine authentication using AD machine enrollment, but we see two behaviours:

- the first one is the IP match with IA, after user logon on his laptop, we don't have the related event (that should be get from ADC), so all users rules based con Access Roles are not working

- the MA auth seems to work only with Legacy Login, this expose us to remove DynamicID from the authentication, so if some smart users change the type of login on the CP client can skip the 2FA

Any hints on the two problems?

Thanks in advance!

Re: Machine Authentication & Identity Awareness

Chris_Atkinson — Mon, 11 Jan 2021 02:49:10 GMT

To clarify your not seeing the AD/DC side security events for log-on & log-off vs un-lock is the auditing set correctly for the same?

Note these are the priorities of the different Identity Sources:
1. Remote Access (enabled by default)
2. Identity Agent, Terminal Servers Identity Agent
3. Captive Portal, Identity Collector, RADIUS Accounting, Identity Awareness API
4. AD Query

Re: Machine Authentication & Identity Awareness

stich86 — Sun, 10 Jan 2021 18:29:26 GMT

check this link: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk146835&partition=Basic&product=Identity

i think the problem is related to how the recoinciliation works. As i've understood the Remote VPN connector cannot be modified appending an ADQ.

Is it right?

Thanks

Re: Machine Authentication & Identity Awareness

henryck — Thu, 15 Sep 2022 23:48:25 GMT

Hi @stich86

I am experiencing the same issue on R81.10 gateways.

Our machine certificate based remote access users are only being recognised by machine identity & not username.

Did you find out what causes this?

Re: Machine Authentication & Identity Awareness

Steffen_Appel — Thu, 17 Nov 2022 15:02:25 GMT

We have the same problem actually.

Re: Machine Authentication & Identity Awareness

henryck — Thu, 17 Nov 2022 21:14:03 GMT

Stitch86 was on the money, its due to reconciliation.

Our configuration was changed on the gateways in pdp_session_conciliation.c with help from TAC

Re: Machine Authentication & Identity Awareness

stich86 — Fri, 18 Nov 2022 06:52:09 GMT

Sorry for late response!

i’m happy that you have solved the issue 🙂

Re: Machine Authentication & Identity Awareness

Steffen_Appel — Fri, 18 Nov 2022 07:35:54 GMT

Can you tell me what you actually did and how it resolved the issue?

Re: Machine Authentication & Identity Awareness

stich86 — Fri, 18 Nov 2022 07:44:59 GMT

You should open a ticket to the TAC, so they can give you the change needed on PDP reconciliation 🙂

Re: Machine Authentication & Identity Awareness

Steffen_Appel — Fri, 06 Jan 2023 09:17:32 GMT

TAC ticket is open but PDP change did not help.

Re: Machine Authentication & Identity Awareness

Steffen_Appel — Tue, 10 Jan 2023 10:18:10 GMT

Just to make sure, you use the machine tunnel before and after logon?

Our supporter claims, that we have to turn the machine tunnel off after logon to get the user information correctly.