cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Highlighted
SEGI_ULg
Ivory

Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

Hi everybody,

I've recently started to put my hands on the Identity Awareness Blade, exploring all the possibilities that it offers (Captive Portal, custom via API, etc...).

I've been working on the Identity Collector scenario for a few days, which is the one that fits our needs the better.

Identity Collector is up and running, collecting identities from some AD and injecting that in some of my CheckPoint gateways. I've created the LDAP Account Unit which is also working, and I can now use the AD groups as a "Source" in my rules which is what I was looking for. Pretty basic stuff and it's working great right now.

But... 

Our production deployment is more complex than that and is pretty unusual (historical reasons, you know what I mean..). Basicly, without entering into the details, what I would like to do is to :

  • Fetch the Identities from domain X.COM (ActiveDirectory)
  • Fetch the users associated groups from domain Y.COM (ActiveDirectory OR OpenLDAP)

I know this looks weird, but all those parts are handled by different teams in a complex environment and is not subject to changes in a near future, so I try to deal with it.

X.COM is the "real" domain where the PC's are registered (so it contains the identities).

Y.COM is a domain that acts as a pure LDAP for authentication and authorization purposes ONLY, all the groups are defined here and only here. (ActiveDirectory or OpenLDAP, we have both to serve this task)

So, here is my question : is it possible to do that?

I've tried to configure my LDAP Account Units with Y.COM, but it's never looking into it (I suppose it has to match the users domain received from the Identity Collector... right?)

I tried differents "hacks" to cheat the gateways, without success...

Does anyone knows if there is any way to do that?

Thank you and sorry for the mess. 

0 Kudos
12 Replies

Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

Hi,

have a look at the Identity Collector Alias Feature (Identity Awareness R80.20 Administration Guide), maybe pdp will query the right Account Unit if you map X.COM to Y.COM.

SEGI_ULg
Ivory

Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

You! You made my day 😉

Indeed, it looks like it is as simple as that... I've configured an Alias (X.COM=Y.COM) and now my gateways are fetching the user's groups on the right domain/DC.

So, now :

- Identity Collector fetches the identities from X.COM and send them to the gateways as Y.COM users thanks to the alias

- The gateways then fetches the user's groups from Y.COM since it receive that from the Identity Collector

I still have some testing to make to be sure, but right now it's working!

Thank you very much.

0 Kudos

Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

It sounds like if I understood the setup, you would need to integrate domain Y into IDC and gateway rather than X. Domain Y still would have user and machine names to form groups? So you could build access roles based on AD-Y users, machines and groups.

0 Kudos
SEGI_ULg
Ivory

Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

By the way, I have a final question.

To get the groups I can either use ActiveDirectory or OpenLDAP (which are syncronised with the same informations).

With the ActiveDirectory I have no problem to make it work, however I couldn't make it with the OpenLDAP.

Do you know if OpenLDAP is supported for this use case?

I've seen somewhere that I might need an additionnal licence to do that ("User Directory"), but I'am not sure about that.

Thanks a lot.

0 Kudos
Admin
Admin

Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

I don't believe there is anything about OpenLDAP that would make it inherently not work.

That said, I don't think we (or anyone else) has figured out how to make it work yet.

0 Kudos
SEGI_ULg
Ivory

Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

Hello,

 

I'm facing some problems again and this time I can figure out why it is not working.

I'am actually getting the identities from 2 differents domains.

 

For one, everything is working smoothly.

 

But for the other, I'am "Connected" to the DCs and everything is green in the IDC, however I'm not getting any Events (it stays at "0").

 

I've been looking at the debug files for hours but I can't figure out why it's not working.

Any idea how to debug that?

 

One thing that came to my mind is that this Domain is an old "Single label domain name" (like "PRIV" is the full domain name).

Is it possible that this is not supported by the IDC?

 

Thank you in advance and have a great week end ahead 🙂

0 Kudos
SEGI_ULg
Ivory

Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

Does anyone has faced this case?

I'am still blocked on this even though i tried everything i could on the AD side : nothing to do -> 0 events are detected by the IDC... Knowing that there is at least 5k employees using this AD for login purpose, something is obviously going on.

Thx in advance to anyone that light have information about this particular scénario..
0 Kudos
SEGI_ULg
Ivory

Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

Thank you all for the great answers.

I could manage to make it works as i wanted with the Alias feature.

However, I also had to put a specific filter because after enabling the Alias feature (as X.COM=Y.COM), the IDC started to send me every association in double (one request as user@X.COM and one request as user@Y.COM). The problem is that when I receive the X.COM as the second request, domain is unknown and association is dropped. It works with the filter though.

Not sure if this is a bug or not.

I also have another little problem with a command. I would like to refetch the groups every 5 or 10 minutes (default is 21600 seconds, which is a lot). I couldn't make this command works for some obscure reasons 😞

[Expert@lab-fw1:0]# pdp update refetch_interval show
Ldap refetch interval is currently 21600 seconds

[Expert@lab-fw1:0]# pdp update refetch_interval set 600
Wrong argument format!
Ldap refetch interval was set to 21600 seconds
* In order to apply the change for all existing sessions, please run 'pdp update all'

Everytime I get a "Wrong argument format!" whatever I try. I will handle that with a Cron.

Thank you to everyone 🙂

0 Kudos
Ivo_Hrbacek
Nickel

Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

hello @SEGI_ULg,

have you managed somehow issue with pdp update refetch_interval set 600? I wanna change it as well and that cmd is even undocumented in IA guide for r80.20..

thx for info

ivo

0 Kudos
SEGI_ULg
Ivory

Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

Hi,

Still haven't found any way to make it works.

I managed to do that with a cron until I find any clue how to use this commande..
0 Kudos
Employee+
Employee+

Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

Hi,

 

As for "pdp update refetch_interval set" command, it seems that we have an issue with it in R80.20 and we will fix it in one of the next Jumbo Fixes.

Until a proper fix, you can use the following procedure:

To set the value without using the command, edit the file pdp_overriding_attrs.C , it should be located in $FWDIR/conf/pdp_overriding_attrs.C or create it.

It is recommended to backup the file if it already exists before editing.

Add the key ldap_refetch_interval and the value you wish to set like so:

(

: ldap_refetch_interval (600) 

)

 

Thanks,

Royi Priov.

0 Kudos
Ivo_Hrbacek
Nickel

Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

Hi,

ok this is working, tested today..

thx for info!

 

ivo

0 Kudos