Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nagaraja
Explorer

Certificate Authentication for Remote Access VPN user

Hi Team,

We have configured personal certificate as First factor and Radius as second factor authentication.

In personal certificate authentication, the firewall will check for the DN(correct me if I am wrong),can we make it to check only CN instead of DN.

Second query is that the user is having multiple certificates, so in that case how Check Point will match the exact certificate  if there are two VPN certificate with two different templates? 

0 Kudos
12 Replies
the_rock
Leader
Leader

I believe it only checks DN. Your 2nd inquiry, are you referring to just a specific user cert here?

Andy

0 Kudos
Nagaraja
Explorer

Yes, it is user certificate

0 Kudos
PhoneBoy
Admin
Admin

As far as I know, what we check in the cert is hard coded and can't be changed.
For the second question, it depends on what kind of a certificate we're talking about.

  • For a user-specific certificate, I believe the user chooses what certificate to offer.
  • For a machine certificate, we use the most recent one, I believe (and that's hardcoded).
0 Kudos
Nagaraja
Explorer

Hi Phoneboy,

 

Thanks for the information.

Is there any supporting document which says that we can't change the configuration to check CN instead of DN.

Any article which says that it will use the latest certificate if it is machine certificate.

We are using user based certificate

 

0 Kudos
Nagaraja
Explorer

Hi Phoneboy,

We are using user based certificate and there are multiple certificates(eg. includes expired cert aslo) in user machine.

Why Check Point is not able to pick the valid certificate ? User is not aware of the valid/expired certificates.

0 Kudos
Nagaraja
Explorer

Hi Phoneboy,

  • For a user-specific certificate, I believe the user chooses what certificate to offer - Can We configure this on gateway end to select the certificate automatically instead of user selecting the certificate manually.
0 Kudos
Norbert_Bohusch
Advisor

You can change what is taken from the certificate for matching it against the user base (LDAP or local).

Before R80.x it was a bit of a pain to configure through GuiDBedit, but since R80.10 you can select it when configuration Multiple Login Options:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-...

See chapter:  Certificate Parsing

 

Besides the "Fetch username from" setting as described, you will have to match the "search LDAP for", so it can find it.

So you can even go for CN, SAN.email, SAN.UPN, etc...

 

Btw. I configured this on R77.10 already but not that comfortable 😉

0 Kudos
Nagaraja
Explorer

Hi Norbert,

 

There is no option to configure only CN validation check.

We can configure DN.CN,it seems like this is 'AND' operation not 'OR' operation.

Attaching the screenshot for your reference.

0 Kudos
Norbert_Bohusch
Advisor

DN.CN means the CN part of the DN.

A certificate has always CN as part of DN... So exactly what you asked.

 

I don‘t understand the and/or part of your answer?!

0 Kudos
Nagaraja
Explorer

Hi Norbert,

 

We don't want to validate DN.

We need to validate only CN.

Is that possible ?

0 Kudos
PhoneBoy
Admin
Admin

You can try Custom Fields, otherwise I assume this would be an RFE.

0 Kudos
Norbert_Bohusch
Advisor

I don't understand this question?

Can you post a sample Subject or SAN and tell me which part of it you want to use for finding the user in LDAP?

0 Kudos