Hey Vladimir,

I do know in my readings that the collector only gets events from the domain security logs (user login/logout info). The collector then sends these usernames to the gateways to match it with an IP address BUT its only one part of the total equation. The gateway still needs match this username to  AD groups and memberships hence the need for the LDAP account unit. Once you have this piece you can make access role objects and query anything in the AD directory for the gateway to enforce.

Josh

Hey Phoneboy,

Once IC is implemented, Admin account is still needed onto LDAP account unit to perform LDAP lookups?

I saw on @Peter_Elmer videos that he switched to a non admin account onto LDAP account unit.

Last question, Will Captive Portal get identities correctly if LDAP account unit has not configured an Admin Account?

Thank you

Hey,

In regards to AD account used to configure IC to read Login data from AD, our account is not an admin account (is just allowed to read the AD logs) therefore I would say that you don't require an Admin account like it was needed with AD Query. 

(we use same account for LDAP objects)

I can't answer on Captive Portal as we don't use it, we only get AD and ISE data into IA via IC 🙂 .

Ty,

The LDAP lookup piece has never required admin privileges, only the WMI piece.

Hello @checkpoint_chec ,

Best to look at the flow of events from the start: 

• user logging on to his/her computer (user@machine@IP_Address)
• Windows OS verifies login credentials with AD Server (given computer can reach AD Server)
• AD server is writing a security event log message
• ID Collector has subscribed to read these login events and learns that user@machine@IP_Address is existing.
  • The ID Collector requires a userID for this subscription that is part of the Event Log Readers AD Group
• ID Collector is forwarding this information to PDP instance on the gateway
• PDP instance runs LDAP(s) group membership lookup against AD Server
  • The PDP requires a userID for this group membership query that has read access to relevant directories in the AD containing users, machines, user groups and/or machine groups. In all my projects a regular domain user account was sufficient here.
• PDP learns group membership of the relevant user/machine from AD and checks which Access Role object is matching for this user@group@machine@IP_Address
• PDP creates ID Session (run cli 'pdp monitor' to see the evidence
• PDP shares this ID Session with PEP instances who have subscribed to it for getting information about ID Sessions

I created videos on sk179544 showing the above flow and related configuration.

When using the Captive Portal the same as above is taking place, besides the Login Event is signalized by the client browser connecting to the portal. The user is providing credentials and the PDP is sending those to the AD Server. In case AD server authenticates the user, then the PDP is starting the authorization process and runs LDAP(s) group membership queries. Here, just like above, domain user access rights are sufficient. 

Note the LDAP Account Unit object is holding the userID credentials the PDP uses to run the LDAP(s) group membership queries.

best regards

peter (pelmer)

Hello Peter,

we need to deploy in  around 20 CMA same LDAP Account Units.... to facilitate the process, we create the LDAP AU objects in Global Domain, but it seems that the LDAP AU cannot be selected in the User Directory tab in authentication method (they are not visible)... is there any limitation on this? 

thank you

from User Directory tab we got: 

Looks like this is expected behavior: https://support.checkpoint.com/results/sk/sk181042
You need to set the priority in the object at the global level (not the local one).

yes i'm aware about that sk, but i left default values.... TAC Case araised