This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
‎2019-03-21 07:53 AM
Jump to solution

Captive portal for linux SSH or Terminal windows

Hi there,

Is anyone aware if any mechanism exists to leverage Identity awareness when I would like to pass through Firewall with captive Portal enabled while using SSH or Linux with no GUI Terminal?

With browser Yes it's pretty much possible; but what if the GUI is not available?

 

Thanks and Regards,

Blason R

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2019-03-21 08:09 AM
Jump to solution

Captive Portal is made for Browser Based Auth only - you could do a RFE here: Products and Feature Suggestions

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
13 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-03-21 08:09 AM
Jump to solution

Captive Portal is made for Browser Based Auth only - you could do a RFE here: Products and Feature Suggestions

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Blason_R
Leader
Leader
‎2019-03-21 08:11 AM
In response to G_W_Albrecht
Jump to solution

Okies and thanks for the reply.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Bogdan_Tatomir1
Contributor
‎2019-07-16 07:43 AM
In response to G_W_Albrecht
Jump to solution

Going back to "Captive Portal is made for Browser Based Auth only".

While this is perfectly true, browser communication in the end is just HTTP GET and HTTP POST requests.

If we would to capture a HTTP session between a, let's say Windows supported browser, and the IDA portal auth, with Fiddler or similar, and then extract and replicate the HTTP post of the authentication itself, and then script that into the linux cli box ?

Would this work ?

Afaik, Captive portal does not require any ongoing resources (keep-alive window open / cookies validation /etc) and once the IP and username have been linked on the FW side, it remains so until the configured session timeout.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-21 10:09 PM
Jump to solution

Identity Awareness has an API.
Perhaps you can script up something that gives your Linux machine an identity?
0 Kudos
Blason_R
Leader
Leader
‎2019-03-21 10:33 PM
In response to PhoneBoy
Jump to solution

Thanks buddy!!

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Wolfgang
Authority
Authority
‎2019-03-22 12:51 AM
Jump to solution

In the older times there was a possibility to telnet to port 259 on the gateway. This worked via a rule with "Client Auth" as action...

Client_Authentication.PNG

This very old document gives a good description of how to configure

http://downloads.checkpoint.com/dc/download.htm?ID=12297

But with "Client Auth" there are some limitations shown in sk115961

We had customers using this with R77.30, but never tried on R80.xx

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-03-22 01:08 AM
In response to Wolfgang
Jump to solution

You can find another answer in sk115242: The Linux user can use the supported SNX build for Linux CLI implementation from sk90240 (Build 800007075) instead of the Captive Portal ! See also SSL Network Extender E75 CLI Support for Mobile Access Blade Release Notes.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-22 08:40 AM
In response to Wolfgang
Jump to solution

Client Auth has been deprecated. That said, there are a few use cases where Client Auth still makes sense (like this one).
0 Kudos
Blason_R
Leader
Leader
‎2019-03-25 09:05 PM
In response to PhoneBoy
Jump to solution

Well, the use case here is; since we have a customer whose servers are placed in DMZ and then users can access the DMZ servers and then since those are servers have outbound https access opens they do SSL Tunneling to certain sites and access it. I understand we can harden it on SSH bu disabling SSH Port forwarding but I see cases where the user has setup Squid proxy on a server and since the server has ANY Access to http/https they are able to access the internet through it.

Hence even if they take SSH of the server wondering if Captive portal could have been a better option for accessing the Internet?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-26 03:18 PM
In response to Blason_R
Jump to solution

SSH can also be a SOCKS proxy as well, so there's another potential hole to close.
0 Kudos
Ken_Dickey
Explorer
‎2019-03-28 06:41 AM
In response to PhoneBoy
Jump to solution

RDP sessions to jump hosts in SCADA environments is another use case.  I used to configure Client Auth with RSA MFA just for that purpose.  Is this no loner possible in R80?

0 Kudos
Daniel_Taney
Advisor
‎2019-03-28 08:38 AM
In response to Ken_Dickey
Jump to solution

Client Auth still exists in R80.x but if memory serves, it can cause weird issues with your policy if you are using layers. We still have Client Auth rules in a couple of policies and I seem to remember testing things on a lab GW and being given some error when I tried to mix layers and Client Auth rules. 

So, while the feature is still there, it may interfere with your ability to make use of newer Check Point features. 

R80 CCSA / CCSE
0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-28 11:07 AM
In response to Daniel_Taney
Jump to solution

Yes, it will.
Refer to: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events