This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hrvoje_Brlek
Collaborator
‎2020-09-07 05:09 AM
Jump to solution

Capsule Connect version 1.600.64 - authentication problem

Hi,

Today a new version of Capsule Connect (v1.600.64), for iOS was released, and we are having problems with authentication. Apparently the new app introduced the multi-factor authentication as obligatory. We deploy our configuration through MDM to our users (more than 1000 users). Users with older app versions have no problems, but users with new version cannot connect without "manual" user interaction. 

For the deployment in the older versions we used Custom Data Fields in the MDM profile. The most important was the authMethod which was set to Certificate (image below), and works flawlessly on older app versions. On new app version it doesn't work. 

Bez naslova.jpg

Can you help me finding the appropriate Custom Data Field to use with the new multi-factor authentication? What key-pair value am I supposed to use? There is none described in the  Admin Guide.

These below are the fields I am talking about. I need a value for the auth parameter to make it use the multi-factor authentication option !

Bez naslova.jpg

Thanks

0 Kudos
2 Solutions

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
‎2020-09-09 05:23 AM
In response to Raman_Arora
Jump to solution

I've brought this thread to the attention of the relevant area, more to follow.

Please refer: sk169222

CCSM R77/R80/ELITE

View solution in original post

Raman_Arora
Contributor
‎2020-09-09 06:23 AM
In response to Hrvoje_Brlek
Jump to solution

It is fixed . We are able to push it from MDM as well. 

On MDM,  Add another key as below:

key : realm

Value : name of the realm (added Under gateway Properties > VPN Clients > Authentication > Multiple Authentication Client Settings > edit the Display Name ((Certificate + Username Password) in my case). You will find Name under General Properties. Cert_Username_Password

 

In my scenario, added as below:

key: relam

value: Cert_Username_Password

Push the config to your test device.

It is working thereafter.

 

View solution in original post

10 Replies
Raman_Arora
Contributor
‎2020-09-08 08:15 AM
Jump to solution

We are also on the same boat. Have you raised ticket with CP TAC?

0 Kudos
Hrvoje_Brlek
Collaborator
‎2020-09-08 01:21 PM
In response to Raman_Arora
Jump to solution

Hi, we have opened a TAC case, I'll keep you updated.

0 Kudos
Raman_Arora
Contributor
‎2020-09-09 06:23 AM
In response to Hrvoje_Brlek
Jump to solution

It is fixed . We are able to push it from MDM as well. 

On MDM,  Add another key as below:

key : realm

Value : name of the realm (added Under gateway Properties > VPN Clients > Authentication > Multiple Authentication Client Settings > edit the Display Name ((Certificate + Username Password) in my case). You will find Name under General Properties. Cert_Username_Password

 

In my scenario, added as below:

key: relam

value: Cert_Username_Password

Push the config to your test device.

It is working thereafter.

 

Kim_Moberg
Advisor
‎2020-09-08 09:17 AM
Jump to solution

Did you remove allow older legacy vpn client in gateway object - vpn - authentication?.. enable it because It solved my issue with Capsule connect failing about multiple authentication methods.

Best Regards
Kim
0 Kudos
Raman_Arora
Contributor
‎2020-09-08 11:01 AM
In response to Kim_Moberg
Jump to solution

Its enabled already.

0 Kudos
Hrvoje_Brlek
Collaborator
‎2020-09-08 01:27 PM
In response to Kim_Moberg
Jump to solution

Yes, we did, but that is not the problem we are facing.

The VPN is working fine, but human interaction is needed to configure the appropriate certificate and get it working. Deployment through MDM and automation is not working, and that is where the problem lies.

0 Kudos
Raman_Arora
Contributor
‎2020-09-08 02:00 PM
In response to Hrvoje_Brlek
Jump to solution

Issue on our side as below:

 

We have Cert + LDAP configured via DB tool, and users on version 1.600.54 are able to connect without any issues! Users with newer version are not able to connect and getting error “this authentication operation is not supported “

 

Aside what I have did is below:

Clicked on Settings under vpn > Authentication and Unchecked “allowed new clients use legacy auth”

And configured Cert + Username/password for new clients 

When I do this , then getting Access Denied

0 Kudos
Kim_Moberg
Advisor
‎2020-09-08 09:07 PM
In response to Raman_Arora
Jump to solution

Due to EA program I was not able to find root issue to this problem with TAC.

I did find something interesting between the jumbo hotfixes. 
I was asked to upgrade from r80.40 take 67 to 77  and none of these takes accepts the latest Capsule connect client. When I downgraded the JHF to take 45 it worked again.

i managed to get username/password authentication to work on capsule connect after changing the vpn settings ‘allow newer clients to use legacy authentication’

Best Regards
Kim
0 Kudos
Raman_Arora
Contributor
‎2020-09-09 03:38 AM
In response to Hrvoje_Brlek
Jump to solution

any inputs from CP TAC on Deployment through MDM for auth type to cert +username?

 

On App store, i can see capsule connect have been removed.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2020-09-09 05:23 AM
In response to Raman_Arora
Jump to solution

I've brought this thread to the attention of the relevant area, more to follow.

Please refer: sk169222

CCSM R77/R80/ELITE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events