cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Blason_R
Silver

Captive portal for linux SSH or Terminal windows

Jump to solution

Hi there,

Is anyone aware if any mechanism exists to leverage Identity awareness when I would like to pass through Firewall with captive Portal enabled while using SSH or Linux with no GUI Terminal?

With browser Yes it's pretty much possible; but what if the GUI is not available?

 

Thanks and Regards,

Blason R

0 Kudos
1 Solution

Accepted Solutions

Re: Captive portal for linux SSH or Terminal windows

Jump to solution

Captive Portal is made for Browser Based Auth only - you could do a RFE here: Products and Feature Suggestions

View solution in original post

0 Kudos
13 Replies

Re: Captive portal for linux SSH or Terminal windows

Jump to solution

Captive Portal is made for Browser Based Auth only - you could do a RFE here: Products and Feature Suggestions

View solution in original post

0 Kudos
Blason_R
Silver

Re: Captive portal for linux SSH or Terminal windows

Jump to solution

Okies and thanks for the reply.

 

0 Kudos

Re: Captive portal for linux SSH or Terminal windows

Jump to solution

Going back to "Captive Portal is made for Browser Based Auth only".

While this is perfectly true, browser communication in the end is just HTTP GET and HTTP POST requests.

If we would to capture a HTTP session between a, let's say Windows supported browser, and the IDA portal auth, with Fiddler or similar, and then extract and replicate the HTTP post of the authentication itself, and then script that into the linux cli box ?

Would this work ?

Afaik, Captive portal does not require any ongoing resources (keep-alive window open / cookies validation /etc) and once the IP and username have been linked on the FW side, it remains so until the configured session timeout.

0 Kudos
Admin
Admin

Re: Captive portal for linux SSH or Terminal windows

Jump to solution
Identity Awareness has an API.
Perhaps you can script up something that gives your Linux machine an identity?
0 Kudos
Blason_R
Silver

Re: Captive portal for linux SSH or Terminal windows

Jump to solution

Thanks buddy!!

0 Kudos
Wolfgang
Gold

Re: Captive portal for linux SSH or Terminal windows

Jump to solution

In the older times there was a possibility to telnet to port 259 on the gateway. This worked via a rule with "Client Auth" as action...

Client_Authentication.PNG

This very old document gives a good description of how to configure

http://downloads.checkpoint.com/dc/download.htm?ID=12297

But with "Client Auth" there are some limitations shown in sk115961

We had customers using this with R77.30, but never tried on R80.xx

0 Kudos

Re: Captive portal for linux SSH or Terminal windows

Jump to solution

You can find another answer in sk115242: The Linux user can use the supported SNX build for Linux CLI implementation from sk90240 (Build 800007075) instead of the Captive Portal ! See also SSL Network Extender E75 CLI Support for Mobile Access Blade Release Notes.

0 Kudos
Admin
Admin

Re: Captive portal for linux SSH or Terminal windows

Jump to solution
Client Auth has been deprecated. That said, there are a few use cases where Client Auth still makes sense (like this one).
0 Kudos
Blason_R
Silver

Re: Captive portal for linux SSH or Terminal windows

Jump to solution

Well, the use case here is; since we have a customer whose servers are placed in DMZ and then users can access the DMZ servers and then since those are servers have outbound https access opens they do SSL Tunneling to certain sites and access it. I understand we can harden it on SSH bu disabling SSH Port forwarding but I see cases where the user has setup Squid proxy on a server and since the server has ANY Access to http/https they are able to access the internet through it.

Hence even if they take SSH of the server wondering if Captive portal could have been a better option for accessing the Internet?

0 Kudos
Admin
Admin

Re: Captive portal for linux SSH or Terminal windows

Jump to solution
SSH can also be a SOCKS proxy as well, so there's another potential hole to close.
0 Kudos

Re: Captive portal for linux SSH or Terminal windows

Jump to solution

RDP sessions to jump hosts in SCADA environments is another use case.  I used to configure Client Auth with RSA MFA just for that purpose.  Is this no loner possible in R80?

0 Kudos

Re: Captive portal for linux SSH or Terminal windows

Jump to solution

Client Auth still exists in R80.x but if memory serves, it can cause weird issues with your policy if you are using layers. We still have Client Auth rules in a couple of policies and I seem to remember testing things on a lab GW and being given some error when I tried to mix layers and Client Auth rules. 

So, while the feature is still there, it may interfere with your ability to make use of newer Check Point features. 

R80 CCSA / CCSE
0 Kudos
Admin
Admin

Re: Captive portal for linux SSH or Terminal windows

Jump to solution
0 Kudos