This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chacko42
Explorer
‎2023-01-02 07:46 AM
Jump to solution

Azure AD connection R81.10

Hi community,

I got a customer with R80.10 JHF 75 gateway and MGMT on the same version.
We implemented Client VPN access with Azure AD and SAML via Identity Profiles and that is working fine.

Now we want to limit the users, who are allowed to connect in office mode.
We have a vpn-user group and limiting access via identity tags is working fine, but the users can still connect to the VPN and can drain the available office-mode pool.

So an AzureAD object for group mapping looks like the best shot.
We created the client-secret, noted the application ID from our enterprise app and also the tenant app, but if I test the connection, connection failed, please check the credentials supplied. Permissions for Graph and Read-All is set, the gateway and mgmt got internet access.

Any ideas? Has anyone made this running so far? We followed the steps described here: Using Azure AD for Authorization (checkpoint.com) and here https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/cloudguard-saas/90/1/AzureService...

Looking forward to your inputs

Best Regards
Chacko

0 Kudos
1 Solution

Accepted Solutions
15 Replies
PhoneBoy
Admin
Admin
‎2023-01-02 08:02 AM
Jump to solution

I assume you mean R81.10 and not R80.10, correct?
R80.10 is End of Support and doesn’t support SAML.

In any case, I’m not clear on what is currently happening in your environment.
What precisely happens when a user tries to authenticate?
What do you see in the logs and such?
Screenshots of exactly what you’ve configured to support this configuration would help.

0 Kudos
Chacko42
Explorer
‎2023-01-02 12:56 PM
In response to PhoneBoy
Jump to solution

Hi - right, 81.10.
Remote Access with VPN Client and SAML Authentication is working fine, but we would like to use Azure AD for the group mappings. We configured the Azure AD Enterprise App (which is working with SAML) and created a client secret, created a azure ad object in checkpoint, but if we try to retrieve any user/group mappings via access-roles or do a test connection, it fails with invalid credentials. All settings from the admin guide were double checked and the client-secret was copy/pasted, manually checked. Not sure how to troubleshoot, or if some configuration might be missed.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-02 04:32 PM
In response to Chacko42
Jump to solution

Did you also follow: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

Regardless, actual screenshots of error messages might be helpful.

0 Kudos
Blason_R
Leader
Leader
‎2023-01-02 06:40 PM
In response to Chacko42
Jump to solution

Hi,

Are you running EndPoint Remote Access VPN client with office mode getting authenticated with SAML? hmmm I am keen to know that setup.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Chacko42
Explorer
‎2023-01-03 01:20 PM
In response to Blason_R
Jump to solution

Right, SAML auth and stuff is working.

Unfortunately, you need to pick the best of from differnet support documents and SKs until you get the full picture, but in the end it's working.

Only the group-mapping via AzureAD object doesn't want to work.

As screenshots were requested, here is the error - client secret was double checked and copied, so no way of typos and access rights are set as described in the documentation

 

 

 

 

Preview file
122 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-03 02:45 PM
In response to Chacko42
Jump to solution

The only thing I can think of is the credentials don't allow access to the necessary API calls.
@Royi_Priov what's the best way to troubleshoot this?

0 Kudos
hendriktenhoor
Participant
‎2023-02-21 05:20 AM
In response to PhoneBoy
Jump to solution

I have the same problem. I defined the Azure AD object.

az-ad-obj-01.png

 

You can still save it if you select not to fix the error. However, I got th following message:

 

Does this means you cannot use the Service Principle Authentication option?

 

An Identity Provider object can only be created it either the VPN Remote access service is defined or the Mobile Access blade is enabled. This customer is not using either of them.

Why have the Service Principle Authentication option if it is not supported ?

 

 

 

 

 

 

0 Kudos
muhamadarif
Explorer
‎2023-11-29 07:20 PM
In response to hendriktenhoor
Jump to solution

Hi Hendri,

 

Just to check with you is this issue still haven't solved yet?

0 Kudos
hendriktenhoor
Participant
‎2023-11-30 01:02 AM
In response to muhamadarif
Jump to solution

Hi Muhamadarif,

I got integration with Azure AD to work properly. Having said that, I only configure it in R81.10 and beyond. I advise anyone to upgrade to R81.10 if they want it and still running version before R81.10. Using AD-identities much easier as of R81.10.

0 Kudos
muhamadarif
Explorer
‎2023-12-07 11:44 PM
In response to hendriktenhoor
Jump to solution

Understand.

Yeah i'm running on R81.10
Found out that the permission was wrong. did use application instead of user on api permission.

0 Kudos
Martin_Ferland
Explorer
‎2024-09-12 06:42 AM
Jump to solution

Question : If I want to do both IPSecVPN AND Identity Awerness, do I need to repeate the process twice (2 Identity Provider, 2 Azure Entreprise Application,...) My AzureAD VPN is working, but not my IA. In the Identity Provider, I have to choose between VPN or IA, what to choose or do I need two uses two of everything, one for VPN and one for IA ?

 

0 Kudos
hendrik_tenhoor
Explorer
‎2024-09-12 07:34 AM
In response to Martin_Ferland
Jump to solution

Not sure if I understand your question correctly, Identity Awareness and logging in on the remote VPN client using an Azure account are two different things. If you want to use Azure Identities in your rule base, you need to configure an Azure AD object which will provide access to the Azure AD. The Azure Identifies can than be used in an Access Role, which in turn can be used in Access Rules again. Obviously Identity Awareness needs to be configured as well.

 

0 Kudos
Martin_Ferland
Explorer
‎2024-09-12 07:40 AM
In response to hendrik_tenhoor
Jump to solution

I think you understand very well my question, at least, you repond very weel. As I figure out, you need to install two of everything (two diffrents needs/product). I was just wondering if it was possible to merge the two. As I read, I saw NO, but I want help to confirm. Thnaks a lot

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-12 07:40 AM
In response to Martin_Ferland
Jump to solution

Yes, you’ll need to create the Identity Provider twice to support both IdA and Remote Access.
In R82 with Infinity Identity, this should not be necessary. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events