This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maarten_Sjouw
Champion
Champion
‎2019-01-10 04:52 AM

Multi-domain Admin user authentication to AD?

Is there a possibility to use ad AD connection to authenticate Admin users for a Multi Domain environment? Currently we use a TacAcs solution but this mean an additional server in between the MDS and the AD.

Regards, Maarten
14 Replies
Jerry
Mentor
Mentor
‎2019-01-10 05:59 AM

of course you can with IA Blade Smiley Happy Admin for MDS means priviledged-user (Super User) not Domain Admin from AD - just bear in mind. All written and explained in R80.xx Management Admin Guide.

ps. R80.xx has no MDS (R77.xx has) so all you need is Identity for certain users and giving them Super User rights by Management Permissions and Administrators (unless you refer to R77.xx where it is actually quite similar afaik)

one more thing, if you're talking AD you talking LDAP you know that?

otherwise TACACS and RADIUS are also supported.

Jerry
Chris_Atkinson
Employee Employee
Employee
‎2019-01-10 06:32 AM
In response to Jerry

Hi please refer sk63166: LDAP Administrator login for GUI Clients.

 

As I recall this (OS password) used to be an option only for security management installations based on Windows (not GAiA).

 

/Edit: Please refer sk145392

CCSM R77/R80/ELITE
Maarten_Sjouw
Champion
Champion
‎2019-01-10 08:05 AM
In response to Jerry

Oh yeah whats in a name, Provider 1, still used in the code? MDS, R77.30 or MDSM for R80.x?

Which one I don't really care also I did not know we were limited to R80 here.

We have our users setup with a Tacacs server and we are lookin g to replace it by a direct connection to an AD server so we can kick the middle man.

I never configured IA on a global level and do not know if it can be done, as that is what I would need to get the abiolity to check the user with the AD.

We are not talking about WebUI or CLI here but really SmartDashboard or SmartConsole users.

From SK63166 it seems the only option is a Radius server, which is again a middleman.

Regards, Maarten
0 Kudos
Yaelle_Harel
Employee Alumnus
Employee Alumnus
‎2019-01-13 08:34 AM

Hi All,

Indeed currently login to Smart Console with AD authentication is not support by default as part of the GA product.

However, we have recently developed a solution that is offered in a limited availability due to limitations that might apply to some of the customers.

In order to get this solution you can approach Check Point solution center. We recommend waiting for R80.30 but in case you need it on top of R80.20 we can also consider it.

Thanks,

Yaelle  Harel |  Group Manager

Check Point Software Technologies | Management Product

Jeff_Gao
Advisor
‎2019-07-01 11:16 PM
In response to Yaelle_Harel

R80.30 still not supported login GUI/WEB/CLI or smartconsole byldap authentication. I already want to Tsukkomi.Why can't checkpoint add this feature
Maarten_Sjouw
Champion
Champion
‎2019-07-01 11:51 PM
In response to Yaelle_Harel

@Yaelle_Harel I do not see the option in SmartConsole to choose a LDAP server/account uinit for authentication in R80.30 multi domain?
Has this been moved on to the next Jumbo or next version?
Regards, Maarten
Yaelle_Harel
Employee Alumnus
Employee Alumnus
‎2019-07-02 01:04 AM
In response to Maarten_Sjouw

Hi,

The feature was released in limited availability, therefore, in order to activate it you should contact solution center.

It doesn't require any additional installation, just activation.

 

Thank you

 

Yaelle

 

Jeff_Gao
Advisor
‎2019-07-02 07:49 AM
In response to Yaelle_Harel

@Yaelle_Harel How to contact solution center,thanks
Yaelle_Harel
Employee Alumnus
Employee Alumnus
‎2019-07-04 04:01 AM
In response to Jeff_Gao

Hi

I asked someone from solution center to reply as I'm not familiar with the procedures.

Thanks

Yaelle

Maarten_Sjouw
Champion
Champion
‎2019-10-17 07:21 AM
In response to Yaelle_Harel

@Yaelle_Harel, I've been playing with the AD connection but I'm having some issues getting it to work. I created a LDAP account Unit with MS-AD config as you would for Identity Awareness.
After this we wanted to make some changes in this configuration but a tcpdump shows that nothing that we change is taking effect.
The only thing we come back to all the time is that a install database is not done to the management servers, the publish is not making any changes.
We have enabled SSL for instance, but the tcpdump just keeps showing the 389 port.
O I think when you enable this you need to be 100% sure your config is done right the first time as changes done afterwards are not reflected in the working.

@Ofer_Barzvi, please have this option (Install database on the Global policy) enabled ASAP??

Regards, Maarten
0 Kudos
Yaelle_Harel
Employee Alumnus
Employee Alumnus
‎2019-10-23 02:38 AM
In response to Maarten_Sjouw

Hi Maarten,

Thank you for the important feedback. In order to address your question some more information is needed.

I moved to a new role, but I have sent you the email address of the person who replaced me. You can contact him directly or continue the discuss here, as you prefer.

 

Thank you

 

Yaelle

 

 

Wolfgang
Authority
Authority
‎2020-01-23 11:12 PM
In response to Maarten_Sjouw

Does anyone knows if authentication to an ActiveDirectory for SmartConsole-Admins without using TACACS or RADIUS is still a secret or is it available in R80.30 ?

If yes, following question will be how can we activate this ?

Wolfgang

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-01-24 04:26 AM
In response to Chris_Atkinson

There is still the bit missing to turn it on, I'm not sure if I'm allowed to post that part here.
Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top