Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Leader
Leader
Jump to solution

SmartConsole AD Authentication

Hello folks,

I have integrated Active directory with Checkpoint R80.10. So can I use the active directory user log in for smart console. I do not have radius server. Please let me know Is it possible and how?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
2 Solutions

Accepted Solutions
SantiagoPlatero
Collaborator

Hi Blason R, I actually had implemented the option told by Norbert Bohusch in my environment:

a Windows Server with the NPS role installed on a separate server of the domain controller (I believe putting the NPS in a DC is a big NO-NO).

Also as Norbert says the NPS role is essentially a Radius server, so you have to follow the instructions for "Configuring a RADIUS Server for Administrators" from the Admin Guide:

- Create a Radius Server object with a shared secret on the SmartConsole

- In the NPS server create a Radius Client with the Management/SmartCenter IP address and obviously the same shared secret from above

- Create a Connection Policy with at least a condition (for example the NAS IPv4 address as the IP address of mgmt) with EAP-MSCHAP as authentication method

- Create a Network Policy with also at least the same condition above (but I also configure a condition for the users must be members of an specific AD group)

- Create an administrator on the SmartConsole with a username format like <AD domain>\<AD user> and Radius as authentication method

Then you can login using the <AD domain>\<AD user> as user name and your AD password as password.

Hope it helped

View solution in original post

PhoneBoy
Admin
Admin

I just recently became aware of this SK that provides a mechanism for authenticating SmartConsole users with Active Directory.
It is supported from R80.20 JHF, but has some limitations, and thus won't be appropriate in every situation.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

View solution in original post

10 Replies
Norbert_Bohusch
Advisor
You could use Microsoft NPS (Network Policy Server = Radius Server) on either DC or separate Server.


0 Kudos
SantiagoPlatero
Collaborator

Hi Blason R, I actually had implemented the option told by Norbert Bohusch in my environment:

a Windows Server with the NPS role installed on a separate server of the domain controller (I believe putting the NPS in a DC is a big NO-NO).

Also as Norbert says the NPS role is essentially a Radius server, so you have to follow the instructions for "Configuring a RADIUS Server for Administrators" from the Admin Guide:

- Create a Radius Server object with a shared secret on the SmartConsole

- In the NPS server create a Radius Client with the Management/SmartCenter IP address and obviously the same shared secret from above

- Create a Connection Policy with at least a condition (for example the NAS IPv4 address as the IP address of mgmt) with EAP-MSCHAP as authentication method

- Create a Network Policy with also at least the same condition above (but I also configure a condition for the users must be members of an specific AD group)

- Create an administrator on the SmartConsole with a username format like <AD domain>\<AD user> and Radius as authentication method

Then you can login using the <AD domain>\<AD user> as user name and your AD password as password.

Hope it helped

Carsten_Weber
Contributor

Still not possible the way you want to do it.

See the documentation R80.10 Management Admin Guide, Section: Configuring Authentication Methods for Administrators

Same goes for R80.20 Management Admin Guide, Section: Configuring Authentication Methods for Administrators

I did hear that request/question from every customer who was thinking about moving away from local OS accounts. And it is the first question that comes to mind, always.

I do struggle to understand this approach, however. I reckon that there is a very good reason behind this, though. I'm sure. 100%. No doubt.

Could someone knowing(!) the reasons please elabotrate about this?

Maybe it is about, who has control over the authorizing system and it's security measures and options (2FA, etc.)

Smartin
Explorer
how did you get smartconsole to log in with AD? I can't find a good guide
0 Kudos
PhoneBoy
Admin
Admin
You cannot directly authenticate SmartConsole with AD users.
You can, however, use a RADIUS server that is tied into AD (like Microsoft NPS) as a go-between.
The answer I've marked in this thread as "correct" is a good place to start.
0 Kudos
Maarten_Sjouw
Champion
Champion
There is a way in R80.20 and R80.30, but you have to ask for the activation method, with you local SE's.
Regards, Maarten
0 Kudos
Chris_Atkinson
Employee Employee
Employee

For reference this has been discussed previously in another thread, see here:

https://community.checkpoint.com/t5/General-Management-Topics/Multi-domain-Admin-user-authentication...

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin

I just recently became aware of this SK that provides a mechanism for authenticating SmartConsole users with Active Directory.
It is supported from R80.20 JHF, but has some limitations, and thus won't be appropriate in every situation.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

Maarten_Sjouw
Champion
Champion

To bring back an old post again, in R81 and R81.10 there seems to be a difference in the Kerberos part used underwater. Due to company policies we were forced to harden the AD server and ran into an issue when the following encryption types were disabled for the Kerberos authentication:

DES_CBC_CRC,  DES_CBC_MD5,  RC4_HMAC_MD5

Then we found that authentication to a R81 MDS was no longer working in a capture you see Kerberos errors with preauth_required, response_too_big and etype_nosupp

At the same time authenticating to a R81.10 MDS worked just fine, so it seems to be a version related.

Main question here: is there a way to force higher encryption types on the kerberos protocol?

Regards, Maarten
0 Kudos
JanVC
Collaborator

Perhaps you already solved it, but this link looks to be the solution

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events