Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chandhrasekar_S
Collaborator

AD authentication for device management

Hi All,

Can we just use AD groups for Checkpoint gateways and management server authentication

Do we need to have a Full AAA server like RADIUS/TACACS for authentication

Will we not be able to configure RBAC using AD groups, without AAA server.

Please let me know

Thanks,

Chandru

0 Kudos
Reply
7 Replies
PhoneBoy
Admin
Admin

Active Directory cannot be used to manage Check Point devices or authenticate via SmartConsole except when configuring specific features that require this.

Otherwise, you need to use a RADIUS/TACACS+ (which of course, could be backed by AD).

Ron_Izraeli
Employee
Employee

Actually we started collecting requirements for management server authentication with AD.

You are welcome to contact me by mail.

Chandhrasekar_S
Collaborator

Thanks Ron. Will contact you over email

Oscar_Medina1
Contributor

Hi Ron Izraeli‌ . I realize this post is old, and wonder if the feature you mentioned (authenticating against AD) is now available?  I am trying to plan and design the authentication for our CheckPoint Management Servers which are all in Azure cloud.  Any guidance is super appreciated!

Cheers,
@SharePointOscar

0 Kudos
Reply
PhoneBoy
Admin
Admin

Nothing has changed in this regard so far.

Ron Izraeli‌ is collecting requirements for later releases, though.

Oscar_Medina1
Contributor

Hi Dameon Welch Abernathy‌ . Got a quick question for ya. I am trying to leverage any Azure capabilities that may help streamline setup of administrator accounts for the management servers we have.

As of now, I've setup VPN (P2S) to our hub vNET which allows access to the Azure resources including those Management Servers.  My VPN setup simply uses Certificates, so my root CA is stored in AzureVault.  I plan to distribute a different client certificate for each user who will administer the CheckPoint Management servers. 

However, I see that CheckPoint SmartConsole (which I assume uses the API) allows for creating an account and includes the ability to create a certificate for said user.  My question is; can I import an existing user certificate created on KeyVault and map it to a given administrator account via the CLI, if so, what would that look like?  I checked the API and only saw the ability to create an administrator account using password...

Any guidance is super appreciated,
@SharePointOscar

0 Kudos
Reply
PhoneBoy
Admin
Admin

You should ask this question in Developers (Code Hub)‌.

Offhand, I'm not sure this is possible. 

0 Kudos
Reply