Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Andreas_Mang
Contributor

When will AES-256/AES-128 Kerberos cipher suites finally be supported through SmartDashboard? I know in R77.30 they are only available through a hotfix.

Jump to solution

In R77.30 I can get a hotfix to Support Kerberos Authentication on the Identity Agent for AD SSO using AES-128 and AES-256 Cipher suites. The only suites available in SmartConsole are currently RC4-HMAC-NT which is obsolete and DES-CBC-MD5/CRC.

0 Kudos
2 Solutions

Accepted Solutions
Tzvi_Katz
Employee
Employee

Hi,

The HF was integrated to R80.10 GW , but the setup will remain similar to the HF in R77.30 from CLI, the setting from SmartConsole support will be integrated in the next releases.

View solution in original post

0 Kudos
Tzvi_Katz
Employee
Employee

Well, the next release is R81.10 and according to @Royi_Priov  - this is part of the release. 

 

View solution in original post

9 Replies
Tzvi_Katz
Employee
Employee

Hi,

The HF was integrated to R80.10 GW , but the setup will remain similar to the HF in R77.30 from CLI, the setting from SmartConsole support will be integrated in the next releases.

View solution in original post

0 Kudos
Andreas_Mang
Contributor

still not part of the R80.40 GUI?

0 Kudos
Roman_Niewiado1
Contributor

R80.30  take 227 hasn't AES-128 and AES-256 Cipher, too.

 

0 Kudos
Tobias_Moritz
Advisor

@Tzvi_Katzyou said "will be integrated in the next releases" and that was more than four years ago. On which position on the roadmap is this feature? Just asking... 🙂

Tzvi_Katz
Employee
Employee

Well, the next release is R81.10 and according to @Royi_Priov  - this is part of the release. 

 

View solution in original post

Tobias_Moritz
Advisor

Thank you for your fast response. So we look forward to that release 🙂

0 Kudos
andymong
Participant

still nothing in R81 ? 😞 

0 Kudos
Roman_Niewiado1
Contributor

Check Point has a solution that is something like from a  cheap software company. Nothing what I would expect of CP.

 

[Expert@gw:0]# pdp auth kerberos_encryption set RC4-HMAC-NT

Command: root->auth->kerberos_encryption->set

Please select one of:

policy

aes128-cts-hmac-sha1-96

aes256-cts-hmac-sha1-96

[Expert@gw:0]# pdp auth kerberos_encryption set aes128-cts-hmac-sha1-96

Kerberos encryption type is aes128-cts-hmac-sha1-96

*** You must push the policy for this change to take effect!

 

I have two domains and I'm not able to change the ciphers only for one domain. What a sh..

0 Kudos
David_Herselman
Collaborator

Hi,

I presume I'm missing something and not hit a quirk. Attempting to navigate to the Kerberos auto authentication portal yield the following error:

kerberos_aes.png

 

I set my user account, the AD integration account and the Kerberos SSO account to support Kerberos AES 256 bit encryption, ran 'pdp auth kerberos_encryption set aes256-cts-hmac-sha1-96' and then installed policy via SmartConsole.

 

Edit:

Appears to be working though, as I can:

kerberos_log.png

0 Kudos