This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JulzorenSen
Contributor
‎2019-03-06 05:38 AM

Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

Hi everybody,

I've recently started to put my hands on the Identity Awareness Blade, exploring all the possibilities that it offers (Captive Portal, custom via API, etc...).

I've been working on the Identity Collector scenario for a few days, which is the one that fits our needs the better.

Identity Collector is up and running, collecting identities from some AD and injecting that in some of my CheckPoint gateways. I've created the LDAP Account Unit which is also working, and I can now use the AD groups as a "Source" in my rules which is what I was looking for. Pretty basic stuff and it's working great right now.

But... 

Our production deployment is more complex than that and is pretty unusual (historical reasons, you know what I mean..). Basicly, without entering into the details, what I would like to do is to :

  • Fetch the Identities from domain X.COM (ActiveDirectory)
  • Fetch the users associated groups from domain Y.COM (ActiveDirectory OR OpenLDAP)

I know this looks weird, but all those parts are handled by different teams in a complex environment and is not subject to changes in a near future, so I try to deal with it.

X.COM is the "real" domain where the PC's are registered (so it contains the identities).

Y.COM is a domain that acts as a pure LDAP for authentication and authorization purposes ONLY, all the groups are defined here and only here. (ActiveDirectory or OpenLDAP, we have both to serve this task)

So, here is my question : is it possible to do that?

I've tried to configure my LDAP Account Units with Y.COM, but it's never looking into it (I suppose it has to match the users domain received from the Identity Collector... right?)

I tried differents "hacks" to cheat the gateways, without success...

Does anyone knows if there is any way to do that?

Thank you and sorry for the mess. 

0 Kudos
16 Replies
Benedikt_Weissl
Advisor
‎2019-03-06 08:40 AM

Hi,

have a look at the Identity Collector Alias Feature (Identity Awareness R80.20 Administration Guide), maybe pdp will query the right Account Unit if you map X.COM to Y.COM.

JulzorenSen
Contributor
‎2019-03-07 12:30 AM
In response to Benedikt_Weissl

You! You made my day 😉

Indeed, it looks like it is as simple as that... I've configured an Alias (X.COM=Y.COM) and now my gateways are fetching the user's groups on the right domain/DC.

So, now :

- Identity Collector fetches the identities from X.COM and send them to the gateways as Y.COM users thanks to the alias

- The gateways then fetches the user's groups from Y.COM since it receive that from the Identity Collector

I still have some testing to make to be sure, but right now it's working!

Thank you very much.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2019-03-06 09:06 PM

It sounds like if I understood the setup, you would need to integrate domain Y into IDC and gateway rather than X. Domain Y still would have user and machine names to form groups? So you could build access roles based on AD-Y users, machines and groups.

0 Kudos
JulzorenSen
Contributor
‎2019-03-07 12:50 AM

By the way, I have a final question.

To get the groups I can either use ActiveDirectory or OpenLDAP (which are syncronised with the same informations).

With the ActiveDirectory I have no problem to make it work, however I couldn't make it with the OpenLDAP.

Do you know if OpenLDAP is supported for this use case?

I've seen somewhere that I might need an additionnal licence to do that ("User Directory"), but I'am not sure about that.

Thanks a lot.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-09 08:47 AM
In response to JulzorenSen

I don't believe there is anything about OpenLDAP that would make it inherently not work.

That said, I don't think we (or anyone else) has figured out how to make it work yet.

0 Kudos
JulzorenSen
Contributor
‎2019-03-15 07:55 AM
In response to PhoneBoy

Hello,

 

I'm facing some problems again and this time I can figure out why it is not working.

I'am actually getting the identities from 2 differents domains.

 

For one, everything is working smoothly.

 

But for the other, I'am "Connected" to the DCs and everything is green in the IDC, however I'm not getting any Events (it stays at "0").

 

I've been looking at the debug files for hours but I can't figure out why it's not working.

Any idea how to debug that?

 

One thing that came to my mind is that this Domain is an old "Single label domain name" (like "PRIV" is the full domain name).

Is it possible that this is not supported by the IDC?

 

Thank you in advance and have a great week end ahead 🙂

0 Kudos
JulzorenSen
Contributor
‎2019-04-01 01:05 PM
In response to JulzorenSen

Does anyone has faced this case?

I'am still blocked on this even though i tried everything i could on the AD side : nothing to do -> 0 events are detected by the IDC... Knowing that there is at least 5k employees using this AD for login purpose, something is obviously going on.

Thx in advance to anyone that light have information about this particular scénario..
0 Kudos
JulzorenSen
Contributor
‎2019-03-11 12:08 AM

Thank you all for the great answers.

I could manage to make it works as i wanted with the Alias feature.

However, I also had to put a specific filter because after enabling the Alias feature (as X.COM=Y.COM), the IDC started to send me every association in double (one request as user@X.COM and one request as user@Y.COM). The problem is that when I receive the X.COM as the second request, domain is unknown and association is dropped. It works with the filter though.

Not sure if this is a bug or not.

I also have another little problem with a command. I would like to refetch the groups every 5 or 10 minutes (default is 21600 seconds, which is a lot). I couldn't make this command works for some obscure reasons 😞

[Expert@lab-fw1:0]# pdp update refetch_interval show
Ldap refetch interval is currently 21600 seconds

[Expert@lab-fw1:0]# pdp update refetch_interval set 600
Wrong argument format!
Ldap refetch interval was set to 21600 seconds
* In order to apply the change for all existing sessions, please run 'pdp update all'

Everytime I get a "Wrong argument format!" whatever I try. I will handle that with a Cron.

Thank you to everyone 🙂

0 Kudos
Ivo_Hrbacek
Contributor
Contributor
‎2019-03-29 01:58 PM
In response to JulzorenSen

hello @JulzorenSen,

have you managed somehow issue with pdp update refetch_interval set 600? I wanna change it as well and that cmd is even undocumented in IA guide for r80.20..

thx for info

ivo

0 Kudos
JulzorenSen
Contributor
‎2019-04-01 01:01 PM
In response to Ivo_Hrbacek

Hi,

Still haven't found any way to make it works.

I managed to do that with a cron until I find any clue how to use this commande..
0 Kudos
Royi_Priov
Employee
Employee
‎2019-04-15 12:06 AM
In response to JulzorenSen

Hi,

 

As for "pdp update refetch_interval set" command, it seems that we have an issue with it in R80.20 and we will fix it in one of the next Jumbo Fixes.

Until a proper fix, you can use the following procedure:

To set the value without using the command, edit the file pdp_overriding_attrs.C , it should be located in $FWDIR/conf/pdp_overriding_attrs.C or create it.

It is recommended to backup the file if it already exists before editing.

Add the key ldap_refetch_interval and the value you wish to set like so:

(

: ldap_refetch_interval (600) 

)

 

Thanks,

Royi Priov.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
0 Kudos
Ivo_Hrbacek
Contributor
Contributor
‎2019-04-15 10:07 AM
In response to Royi_Priov

Hi,

ok this is working, tested today..

thx for info!

 

ivo

0 Kudos
Paul_Hagyard
Advisor
‎2022-11-29 05:13 PM
In response to Royi_Priov

Hi,

Is "pdp update refetch_interval set" documented anywhere? I can't see it in the R81.10 documentation and can't find it in SecureKnowledge. There seems to be a gap in the documentation about how ongoing updates for group membership works for endpoint/terminal server agents, the IA web API etc - I am guessing this command is the solution.

Thanks,

Paul

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-29 06:24 PM
In response to Paul_Hagyard

Even internally, there isn’t an SK that mentions it. 
However, if you’re using Identity Collector, I believe this is the solution: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Paul_Hagyard
Advisor
‎2022-11-29 06:32 PM
In response to PhoneBoy

Thanks, could you possibly ask around and see if someone could document this? In the meantime we'll see how the command behaves, or tweak $FWDIR/conf/pdp_overriding_attrs.C as suggested if needed (environment is R80.40, and as this is an older post it has hopefully been fixed)

We're not using IDC and will be moving away from ADQ to agents.

0 Kudos
Paul_Hagyard
Advisor
‎2022-12-05 05:22 PM
In response to Paul_Hagyard

After some time on a SR (6-0003465460) investigating formally how automatic updates should be done for IA endpoint and terminal server agents, the answer was:

  1. Use "pdp update all"
    (achieved with cron to run every 10 mins...)
  2. R&D don't have a proper fix on their roadmap, raise a RFE

Given how important identity-based access is over IP-based access I would have thought there would be clear mechanisms for managing group updates - ideally with a reasonable default covering all platforms and an ability to override for specific platforms.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events