This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
MVP Gold
MVP Gold
‎2018-10-04 02:58 AM
Jump to solution

SmartConsole AD Authentication

Hello folks,

I have integrated Active directory with Checkpoint R80.10. So can I use the active directory user log in for smart console. I do not have radius server. Please let me know Is it possible and how?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
2 Solutions

Accepted Solutions
SantiagoPlatero
Collaborator
‎2018-10-11 11:28 AM
In response to Norbert_Bohusch
Jump to solution

Hi Blason R, I actually had implemented the option told by Norbert Bohusch in my environment:

a Windows Server with the NPS role installed on a separate server of the domain controller (I believe putting the NPS in a DC is a big NO-NO).

Also as Norbert says the NPS role is essentially a Radius server, so you have to follow the instructions for "Configuring a RADIUS Server for Administrators" from the Admin Guide:

- Create a Radius Server object with a shared secret on the SmartConsole

- In the NPS server create a Radius Client with the Management/SmartCenter IP address and obviously the same shared secret from above

- Create a Connection Policy with at least a condition (for example the NAS IPv4 address as the IP address of mgmt) with EAP-MSCHAP as authentication method

- Create a Network Policy with also at least the same condition above (but I also configure a condition for the users must be members of an specific AD group)

- Create an administrator on the SmartConsole with a username format like <AD domain>\<AD user> and Radius as authentication method

Then you can login using the <AD domain>\<AD user> as user name and your AD password as password.

Hope it helped

View solution in original post

PhoneBoy
Admin
Admin
‎2021-02-04 11:49 PM
Jump to solution

I just recently became aware of this SK that provides a mechanism for authenticating SmartConsole users with Active Directory.
It is supported from R80.20 JHF, but has some limitations, and thus won't be appropriate in every situation.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

View solution in original post

10 Replies
Norbert_Bohusch
Advisor
‎2018-10-04 03:20 AM
Jump to solution

You could use Microsoft NPS (Network Policy Server = Radius Server) on either DC or separate Server.


0 Kudos
SantiagoPlatero
Collaborator
‎2018-10-11 11:28 AM
In response to Norbert_Bohusch
Jump to solution

Hi Blason R, I actually had implemented the option told by Norbert Bohusch in my environment:

a Windows Server with the NPS role installed on a separate server of the domain controller (I believe putting the NPS in a DC is a big NO-NO).

Also as Norbert says the NPS role is essentially a Radius server, so you have to follow the instructions for "Configuring a RADIUS Server for Administrators" from the Admin Guide:

- Create a Radius Server object with a shared secret on the SmartConsole

- In the NPS server create a Radius Client with the Management/SmartCenter IP address and obviously the same shared secret from above

- Create a Connection Policy with at least a condition (for example the NAS IPv4 address as the IP address of mgmt) with EAP-MSCHAP as authentication method

- Create a Network Policy with also at least the same condition above (but I also configure a condition for the users must be members of an specific AD group)

- Create an administrator on the SmartConsole with a username format like <AD domain>\<AD user> and Radius as authentication method

Then you can login using the <AD domain>\<AD user> as user name and your AD password as password.

Hope it helped

Carsten_Weber
Contributor
‎2018-10-04 06:22 AM
Jump to solution

Still not possible the way you want to do it.

See the documentation R80.10 Management Admin Guide, Section: Configuring Authentication Methods for Administrators

Same goes for R80.20 Management Admin Guide, Section: Configuring Authentication Methods for Administrators

I did hear that request/question from every customer who was thinking about moving away from local OS accounts. And it is the first question that comes to mind, always.

I do struggle to understand this approach, however. I reckon that there is a very good reason behind this, though. I'm sure. 100%. No doubt.

Could someone knowing(!) the reasons please elabotrate about this?

Maybe it is about, who has control over the authorizing system and it's security measures and options (2FA, etc.)

Smartin
Explorer
‎2019-11-27 11:55 AM
Jump to solution

how did you get smartconsole to log in with AD? I can't find a good guide
0 Kudos
PhoneBoy
Admin
Admin
‎2019-11-27 02:49 PM
In response to Smartin
Jump to solution

You cannot directly authenticate SmartConsole with AD users.
You can, however, use a RADIUS server that is tied into AD (like Microsoft NPS) as a go-between.
The answer I've marked in this thread as "correct" is a good place to start.
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-11-28 12:34 AM
In response to PhoneBoy
Jump to solution

There is a way in R80.20 and R80.30, but you have to ask for the activation method, with you local SE's.
Regards, Maarten
0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-11-27 11:38 PM
In response to Smartin
Jump to solution

For reference this has been discussed previously in another thread, see here:

https://community.checkpoint.com/t5/General-Management-Topics/Multi-domain-Admin-user-authentication...

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-04 11:49 PM
Jump to solution

I just recently became aware of this SK that provides a mechanism for authenticating SmartConsole users with Active Directory.
It is supported from R80.20 JHF, but has some limitations, and thus won't be appropriate in every situation.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

Maarten_Sjouw
Champion
Champion
‎2022-10-19 01:55 AM
In response to PhoneBoy
Jump to solution

To bring back an old post again, in R81 and R81.10 there seems to be a difference in the Kerberos part used underwater. Due to company policies we were forced to harden the AD server and ran into an issue when the following encryption types were disabled for the Kerberos authentication:

DES_CBC_CRC,  DES_CBC_MD5,  RC4_HMAC_MD5

Then we found that authentication to a R81 MDS was no longer working in a capture you see Kerberos errors with preauth_required, response_too_big and etype_nosupp

At the same time authenticating to a R81.10 MDS worked just fine, so it seems to be a version related.

Main question here: is there a way to force higher encryption types on the kerberos protocol?

Regards, Maarten
0 Kudos
JanVC
Collaborator
‎2023-02-17 01:56 AM
In response to Maarten_Sjouw
Jump to solution

Perhaps you already solved it, but this link looks to be the solution

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events