- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Captive portal for linux SSH or Terminal windo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Captive portal for linux SSH or Terminal windows
Hi there,
Is anyone aware if any mechanism exists to leverage Identity awareness when I would like to pass through Firewall with captive Portal enabled while using SSH or Linux with no GUI Terminal?
With browser Yes it's pretty much possible; but what if the GUI is not available?
Thanks and Regards,
Blason R
Blason R
CCSA,CCSE,CCCS
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Captive Portal is made for Browser Based Auth only - you could do a RFE here: Products and Feature Suggestions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Captive Portal is made for Browser Based Auth only - you could do a RFE here: Products and Feature Suggestions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okies and thanks for the reply.
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Going back to "Captive Portal is made for Browser Based Auth only".
While this is perfectly true, browser communication in the end is just HTTP GET and HTTP POST requests.
If we would to capture a HTTP session between a, let's say Windows supported browser, and the IDA portal auth, with Fiddler or similar, and then extract and replicate the HTTP post of the authentication itself, and then script that into the linux cli box ?
Would this work ?
Afaik, Captive portal does not require any ongoing resources (keep-alive window open / cookies validation /etc) and once the IP and username have been linked on the FW side, it remains so until the configured session timeout.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps you can script up something that gives your Linux machine an identity?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks buddy!!
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the older times there was a possibility to telnet to port 259 on the gateway. This worked via a rule with "Client Auth" as action...
This very old document gives a good description of how to configure
http://downloads.checkpoint.com/dc/download.htm?ID=12297
But with "Client Auth" there are some limitations shown in sk115961
We had customers using this with R77.30, but never tried on R80.xx
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can find another answer in sk115242: The Linux user can use the supported SNX build for Linux CLI implementation from sk90240 (Build 800007075) instead of the Captive Portal ! See also SSL Network Extender E75 CLI Support for Mobile Access Blade Release Notes.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, the use case here is; since we have a customer whose servers are placed in DMZ and then users can access the DMZ servers and then since those are servers have outbound https access opens they do SSL Tunneling to certain sites and access it. I understand we can harden it on SSH bu disabling SSH Port forwarding but I see cases where the user has setup Squid proxy on a server and since the server has ANY Access to http/https they are able to access the internet through it.
Hence even if they take SSH of the server wondering if Captive portal could have been a better option for accessing the Internet?
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RDP sessions to jump hosts in SCADA environments is another use case. I used to configure Client Auth with RSA MFA just for that purpose. Is this no loner possible in R80?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Client Auth still exists in R80.x but if memory serves, it can cause weird issues with your policy if you are using layers. We still have Client Auth rules in a couple of policies and I seem to remember testing things on a lab GW and being given some error when I tried to mix layers and Client Auth rules.
So, while the feature is still there, it may interfere with your ability to make use of newer Check Point features.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content