cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Rick_Rodrix
Nickel

Using ldap for user authentication on vpn checkpoint

Hello everyone!
Please Helllp!!
At this moment I´m using  Checkpoint local users to connect to Client-to-site VPN. 
But I want to improve this and change all the method of VPN authentication to LDAP.
For tests purposes, I´ve already a group on AD where we use shared with Checkpoint then we are able to do that and it realy works.
By now, I don´t want to ask AD admin to create AD groups everytime we are asked to provide an VPN access.
Is there a way to add AD users to a VPN rule without using a AD group?
Let me explain better: we are a big organization, so we have diferents kinds of users with different needs, so we need to create differents kinds of access groups. Since I know that VPN rules only accept legacy users on groups, I´d like to know if theres a way to designate some AD users directly on firewall rules, or a way to do this without to contact AD admin to create the groups.

Thanks in advance!

Checkpoint r77.30

0 Kudos
2 Replies

Re: Using ldap for user authentication on vpn checkpoint

When you have Identity Awareness setup and connected to your AD, you can create access roles, within those roles you can add individual users and/or groups and/or machines to allow certain traffic, so in other words yes this is possible.
Regards, Maarten
0 Kudos
Rick_Rodrix
Nickel

Re: Using ldap for user authentication on vpn checkpoint

Well, I do know that. I´m getting some success on this research. At this time, I discovered that for the first step, I need to allow AD users to connect in Remote Access, so I made this work adding the AD group "Domain Users" in Remote Access. But right now, every single account is able to login on Remote Access. I did a individual account role access and added to a rule and it is working now, I was abble to access my host. But I was wondering if to enable all the AD group "Domain Users" to allow connect to Endpoint Security is a good idea for security issues. 
Is it a best practice to put this kind of rule at the top of the rule table?

I just wondering why no one had this question before, I didn´t find any message about this.

0 Kudos