Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chacko42
Explorer
Jump to solution

Azure AD connection R81.10

Hi community,

I got a customer with R80.10 JHF 75 gateway and MGMT on the same version.
We implemented Client VPN access with Azure AD and SAML via Identity Profiles and that is working fine.

Now we want to limit the users, who are allowed to connect in office mode.
We have a vpn-user group and limiting access via identity tags is working fine, but the users can still connect to the VPN and can drain the available office-mode pool.

So an AzureAD object for group mapping looks like the best shot.
We created the client-secret, noted the application ID from our enterprise app and also the tenant app, but if I test the connection, connection failed, please check the credentials supplied. Permissions for Graph and Read-All is set, the gateway and mgmt got internet access.

Any ideas? Has anyone made this running so far? We followed the steps described here: Using Azure AD for Authorization (checkpoint.com) and here https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/cloudguard-saas/90/1/AzureService...

Looking forward to your inputs

Best Regards
Chacko

0 Kudos
15 Replies
PhoneBoy
Admin
Admin

I assume you mean R81.10 and not R80.10, correct?
R80.10 is End of Support and doesn’t support SAML.

In any case, I’m not clear on what is currently happening in your environment.
What precisely happens when a user tries to authenticate?
What do you see in the logs and such?
Screenshots of exactly what you’ve configured to support this configuration would help.

0 Kudos
Chacko42
Explorer

Hi - right, 81.10.
Remote Access with VPN Client and SAML Authentication is working fine, but we would like to use Azure AD for the group mappings. We configured the Azure AD Enterprise App (which is working with SAML) and created a client secret, created a azure ad object in checkpoint, but if we try to retrieve any user/group mappings via access-roles or do a test connection, it fails with invalid credentials. All settings from the admin guide were double checked and the client-secret was copy/pasted, manually checked. Not sure how to troubleshoot, or if some configuration might be missed.

0 Kudos
PhoneBoy
Admin
Admin

Did you also follow: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

Regardless, actual screenshots of error messages might be helpful.

0 Kudos
Blason_R
Leader
Leader

Hi,

Are you running EndPoint Remote Access VPN client with office mode getting authenticated with SAML? hmmm I am keen to know that setup.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Chacko42
Explorer

Right, SAML auth and stuff is working.

Unfortunately, you need to pick the best of from differnet support documents and SKs until you get the full picture, but in the end it's working.

Only the group-mapping via AzureAD object doesn't want to work.

As screenshots were requested, here is the error - client secret was double checked and copied, so no way of typos and access rights are set as described in the documentation

 

 

 

 

0 Kudos
PhoneBoy
Admin
Admin

The only thing I can think of is the credentials don't allow access to the necessary API calls.
@Royi_Priov what's the best way to troubleshoot this?

0 Kudos
hendriktenhoor
Participant

I have the same problem. I defined the Azure AD object.

az-ad-obj-01.png

 

You can still save it if you select not to fix the error. However, I got th following message:

 

Does this means you cannot use the Service Principle Authentication option?

 

An Identity Provider object can only be created it either the VPN Remote access service is defined or the Mobile Access blade is enabled. This customer is not using either of them.

Why have the Service Principle Authentication option if it is not supported ?

 

 

 

 

 

 

0 Kudos
muhamadarif
Explorer

Hi Hendri,

 

Just to check with you is this issue still haven't solved yet?

0 Kudos
hendriktenhoor
Participant

Hi Muhamadarif,

I got integration with Azure AD to work properly. Having said that, I only configure it in R81.10 and beyond. I advise anyone to upgrade to R81.10 if they want it and still running version before R81.10. Using AD-identities much easier as of R81.10.

0 Kudos
muhamadarif
Explorer

Understand.

Yeah i'm running on R81.10
Found out that the permission was wrong. did use application instead of user on api permission.

0 Kudos
Martin_Ferland
Explorer

Question : If I want to do both IPSecVPN AND Identity Awerness, do I need to repeate the process twice (2 Identity Provider, 2 Azure Entreprise Application,...) My AzureAD VPN is working, but not my IA. In the Identity Provider, I have to choose between VPN or IA, what to choose or do I need two uses two of everything, one for VPN and one for IA ?

 

0 Kudos
hendrik_tenhoor
Explorer

Not sure if I understand your question correctly, Identity Awareness and logging in on the remote VPN client using an Azure account are two different things. If you want to use Azure Identities in your rule base, you need to configure an Azure AD object which will provide access to the Azure AD. The Azure Identifies can than be used in an Access Role, which in turn can be used in Access Rules again. Obviously Identity Awareness needs to be configured as well.

 

0 Kudos
Martin_Ferland
Explorer

I think you understand very well my question, at least, you repond very weel. As I figure out, you need to install two of everything (two diffrents needs/product). I was just wondering if it was possible to merge the two. As I read, I saw NO, but I want help to confirm. Thnaks a lot

0 Kudos
PhoneBoy
Admin
Admin

Yes, you’ll need to create the Identity Provider twice to support both IdA and Remote Access.
In R82 with Infinity Identity, this should not be necessary. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events