Solved: Re: When will AES-256/AES-128 Kerberos cipher suit...

Andreas_Mang · ‎2017-02-02

In R77.30 I can get a hotfix to Support Kerberos Authentication on the Identity Agent for AD SSO using AES-128 and AES-256 Cipher suites. The only suites available in SmartConsole are currently RC4-HMAC-NT which is obsolete and DES-CBC-MD5/CRC.

Tzvi_Katz · ‎2017-02-06

Hi,

The HF was integrated to R80.10 GW , but the setup will remain similar to the HF in R77.30 from CLI, the setting from SmartConsole support will be integrated in the next releases.

View solution in original post

Tzvi_Katz · ‎2021-04-13

Well, the next release is R81.10 and according to @Royi_Priov - this is part of the release.

View solution in original post

Tzvi_Katz · ‎2017-02-06

Hi,

The HF was integrated to R80.10 GW , but the setup will remain similar to the HF in R77.30 from CLI, the setting from SmartConsole support will be integrated in the next releases.

Andreas_Mang · ‎2020-04-27

still not part of the R80.40 GUI?

Roman_Niewiado1 · ‎2021-03-22

R80.30 take 227 hasn't AES-128 and AES-256 Cipher, too.

Tobias_Moritz · ‎2021-04-13

@Tzvi_Katzyou said "will be integrated in the next releases" and that was more than four years ago. On which position on the roadmap is this feature? Just asking... 🙂

Tzvi_Katz · ‎2021-04-13

Well, the next release is R81.10 and according to @Royi_Priov - this is part of the release.

Tobias_Moritz · ‎2021-04-13

Thank you for your fast response. So we look forward to that release 🙂

andymong · ‎2021-04-13

still nothing in R81 ? 😞

Roman_Niewiado1 · ‎2021-04-13

Check Point has a solution that is something like from a cheap software company. Nothing what I would expect of CP.

[Expert@gw:0]# pdp auth kerberos_encryption set RC4-HMAC-NT

Command: root->auth->kerberos_encryption->set

Please select one of:

policy

aes128-cts-hmac-sha1-96

aes256-cts-hmac-sha1-96

[Expert@gw:0]# pdp auth kerberos_encryption set aes128-cts-hmac-sha1-96

Kerberos encryption type is aes128-cts-hmac-sha1-96

*** You must push the policy for this change to take effect!

I have two domains and I'm not able to change the ciphers only for one domain. What a sh..

David_Herselman · ‎2021-08-01

Hi,

I presume I'm missing something and not hit a quirk. Attempting to navigate to the Kerberos auto authentication portal yield the following error:

I set my user account, the AD integration account and the Kerberos SSO account to support Kerberos AES 256 bit encryption, ran 'pdp auth kerberos_encryption set aes256-cts-hmac-sha1-96' and then installed policy via SmartConsole.

Edit:

Appears to be working though, as I can:

navigate to https://fwcp1.company.com/connect, to clear any existing identity associations
navigate to http://neverssl.com, to initiate an authentication process redirect
Logs confirm automated identity awareness association was done via Kerberos:

Are you a member of CheckMates?

When will AES-256/AES-128 Kerberos cipher suites finally be supported through SmartDashboard? I know in R77.30 they are only available through a hotfix.