Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

Identity Awareness and UPN suffix

Jump to solution

Hi Guys

I have a problem, CP Identity Awareness doesnt want to recognize users, who logged in UPN credentials. For example, XYZ.local is a standard AD Domain, but also it has UPN suffix XYZ.com for communication with O365 etc. For windows login (and WLC with Radius) doesnt matter, it can be just username, or username@XYZ.local or username@XYZ.com. CheckPoint understand only username and  username@XYZ.local

I talked to CP support, they advised to create additional LDAP account unit (XYZ.com), but it doesnt's work, still same issues with name recognizing, and also Remote Access VPN stops (lose access to original domain XYZ.local)

do you have any ideas how to fix it?

thanks

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Employee++
Employee++

Thanks @Royi_Priov 

For completeness do we have any other options to manipulate the RADIUS data (realm matching) if it can't be done upstream?

Cheers,

Chris

 

View solution in original post

10 Replies
Highlighted
Iron
Short comment, username@XYZ.local also doesnt work, only clean username.....
0 Kudos
Highlighted
Admin
Admin

Not sure, @Royi_Priov ?

0 Kudos
Highlighted
Employee+
Employee+

Which identity sources are used?

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Highlighted
Iron
Hi Royi
Active Directory Query (LDAP), and RADIUS accounting turned on... WLC sends info to checkpoint, and i can recognize wireless users in CP logs
thanks
0 Kudos
Highlighted
Employee++
Employee++
Highlighted
Iron
Thanks Chris, i think you right, need to try to cut suffix there.
0 Kudos
Highlighted
Employee+
Employee+
I would also suggest using "alias feature" in Identity Collector (which can replace AD Query).
This feature allows to replace one domain with another - read more about it on our admin guide.

As for Identity Collector vs. AD Query differences - see sk108235.
Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Highlighted
Employee++
Employee++

Thanks @Royi_Priov 

For completeness do we have any other options to manipulate the RADIUS data (realm matching) if it can't be done upstream?

Cheers,

Chris

 

View solution in original post

Highlighted
Iron
Thanks Royi, i will try. Just some questions, IA and Remote Access VPN use different ways for authorization? If i turn off AD Query in IA, VPN should continue works?
0 Kudos
Highlighted
Iron
Thanks guys, i didnt fix my problem, but found another solution.
Royi, i deployed IC, it works, but it not recognize Radius users, dont see them, anyway i kept it.
Chris, your solution works (i played with realm info), but looks like WLC send info to CheckPoint (and own log) before NPS (Radius) server, i can change realm info, but CHeckPoint sees original request with domain info.
I blocked any access to wireless with domain info, just username, or no wifi 🙂
Also opened Cisco's support case, not sure, maybe possible to cut realm info on WLC directly
thanks guys!
0 Kudos