This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rooKing
Participant
‎2024-01-12 02:35 AM

Capsule VPN w/ certificate authentication and authorization from AAD

Hi CheckMates!

I'm working on a PoC for our customer and this is what I'm trying to achieve:

Intune deployment of Capsule VPN for Android using personal certificate for authentication and Azure AD (Entra ID) for authorization. Azure certificate connector takes care of requesting certificate and Intune deploys it to Android device. I followed sk170320. The VPN client deployment with site info, authentication method and pushing the actual certificate is currently working. Also the certificate authentication itself is working by using generic* profile with 'Public Key' option selected as authentication scheme.

What I need to get working is authorization with Azure AD. I don't know how to get the user to match a group in AAD (pdp monitor does not show a role for the Android device). I also have a TAC case open where I have explained the case and asked if this is even possible. I haven't gotten a no-no response, so I assume it is possible. I have created Azure AD object and I call pull the groups from the AAD.

I have also tried to follow many different documents about getting the roles from the AAD but all of those refer to SAML. We are not using SAML in this case. Followed this and this

Background why not using SAML.

Devices used here are Android phones. These phones are not personal i.e. they are shared devices and they have multiple users.

One device is for on-call plumber no.1 and when his/her shift ends phone is passed to plumber no. 2. Second device is for nursery and different people there use the common phone for accessing company resources via VPN. 

Group info (role) is needed in order to create access roles for the different lines of work because they access different company resources. E.g. group_plumber_android for plumbers and group_nursery_android from nurseries.
 

Versions:
Capsule VPN for Android 1.601.25
Gateway in which the client is terminated to, R81.10 JHF take 129
Android OS 13 

I would really appreciate if someone could help me with this.

Preview file
169 KB
0 Kudos
5 Replies
G_W_Albrecht
Legend Legend
Legend
‎2024-01-12 03:13 AM

I would suggest to involve CP TAC in a SR# - POC or not should not be an issue...

 

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
rooKing
Participant
‎2024-01-12 04:33 AM
In response to G_W_Albrecht

Thanks for a swift reply.

As mentioned I have a TAC case open - and it has been open for almost 2 months now. In that SR case we first tried to resolve certificate authentication problem and after that remote access user group problem - thanks to some tidbits of information given to me in this SR I managed eventually tackle those problems myself. Now I have asked TAC to walk me through how to configure the authorization part towards AAD.

I created this post to CheckMates in parallel. I was hoping that someone has been fighting the same problem and might get a solution faster.

PhoneBoy
Admin
Admin
‎2024-01-12 12:47 PM

You claim you're not using SAML, yet you provide links to a SAML-related configuration.
The only other place to gather groups from is LDAP...is this what you're doing?

0 Kudos
rooKing
Participant
‎2024-01-15 05:29 AM
In response to PhoneBoy

Yes, documents are related to SAML. I was trying to be creative and pickup stuff from those that would be relevant for fetching groups from AAD. 

Nevertheless I finally got an answer from TAC last Friday and what I'm trying to do is not possible. So I need to get back to drawing board. Many many hours down the drain. ☹️

Thank you for everyone for showing interest on this case.

0 Kudos
rooKing
Participant
‎2024-01-16 03:55 AM
In response to rooKing

One more try. Could someone lead me to a new path how to achieve the goal?

And the goal is:

- Deploy Capsule VPN to Android devices via Intune. (This I know now how to do. 😀)
- Authenticate the Android device itself because they are used by group of people instead of just a dedicated user.
- Group the devices so that the groups can be used for authorization so that a specific group can be used to give access to specific applications 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events