This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Damjan_Janev
Participant
‎2018-06-09 01:15 PM

Certificate VPN authentication against LDAP using userPrincipalName (R80.10)

Has anyone tried and succeeded in this?

Since R80.10, sk61060 is no longer applicable and the relevant configuration is performed directly on the gateway object in VPN CLients -> Authentication. In the personal certificate i have

  • Fetch Username From: Subject Alternative Name.UPN in the Login option
  • Common lookup type: User-Principal-Name / UPN (userPrincipalName) in the User Directories

The first part seems to be working OK. I can verify in the logs that UPN is extracted from the certificate but it is not matched against an UPN in LDAP. Login fails with unknown user. If i change everything to default (DN based), it works OK.

If i change the Fetch Username From part to DN, and leave the lookup to be UPN based, authentication succeeds. Looks like the lookup is always DN based, no matter what is selected. I even tried to use custom lookup with userPrincipalName, but the behavior is the same. 

I am currently testing this on R80.10 with Jumbo Hotfix Accumulator Take 91

ETA:

Tried with Hotfix Accumulator Take 103 (latest). No change.

I am currently running some packet capture of the FW-DC communication an concluded that the above configuration results in LDAP search based on sAMAccountName instead on userPrincipalName

10 Replies
PhoneBoy
Admin
Admin
‎2018-06-09 06:57 PM

Even though the R80.10 GUI has an option for this, can you verify the settings are set as described in sk61060 with GUIdbedit?

I'm thinking alternative_subject_field, but maybe the other parameters as well.

0 Kudos
Damjan_Janev
Participant
‎2018-06-10 03:56 AM
In response to PhoneBoy

I finally managed to make it work by using a combination of SmartConsole configuration for the username extraction part and GuiDBEdit configuration for the lookup part, but i don't think that this is the way it was intended to work. Even that took some trial and error to make it work. 

Damjan_Janev
Participant
‎2018-06-10 06:49 AM
In response to Damjan_Janev

Aaaaaaand, that is not the end of my worries. I am experiencing, a similar issue when connection with Capsule Connect on IOS. This time, even the certificate parsing is stuck to default (DN). I have modified every sk61060 related item that seemed relevant to the mobile clients, but with no success. 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-06-10 06:27 PM
In response to Damjan_Janev

Possibly this SK? 

LDAP users connecting from Check Point Capsule Connect / VPN client cannot authenticate using certif... 

Otherwise it's probably worth a TAC case.

0 Kudos
Damjan_Janev
Participant
‎2018-06-11 11:40 PM
In response to PhoneBoy

Ended up with a TAC case. Lets see what happens next.

OliverBayerlein
Participant
‎2018-07-25 07:24 AM
In response to Damjan_Janev

I have exactly same issue. Can you post the solution or SR number?

0 Kudos
SSlater
Employee
Employee
‎2018-07-29 08:04 PM
In response to Damjan_Janev

If you're using a 3rd Party Certificate, it might be overriding the configuration.

sk115637

The 3rd party Root CA has two parameters that define the user fetch process:

use_cn_to_fetch_user (default: false)

use_principal_name (default: false)


***If one of this two parameters are enabled (value=true) then the certificate parsing rules defined in the realm relevant for the VPN blade will not be applied after the certificate chain is completed.

0 Kudos
Damjan_Janev
Participant
‎2018-07-29 11:42 PM
In response to SSlater

The certificate parsing seems to work OK, according to the GUI settings. The subsequent LDAP search is not working properly. 

Scott_Bily
Participant
‎2019-08-15 05:54 AM
In response to Damjan_Janev

Did you ever get this solution working?     I am experiencing the same thing thing.

I have been able to make it all work(including Capsule VPN logins using 3rd party certificate),  In a test environment, using a combination of modifying VPN Client Authentication fields in Smart Dashboard, and editing the VPN realm using guidbedit.

But the the steps I had to take are not very intuitive, and took days of troubleshooting.

I was just wondering if TAC ever gave a reason, or better solution that didn't involve guidbedit, of if this was resolved in maybe R80.30?

0 Kudos
Jan_Kleinhans
Advisor
‎2022-10-20 11:27 PM
In response to Scott_Bily

Hello,

 

can you describe what fields you have changed in guidbedit. I am experiencing the same problem.

 

Regards,

 

Jan

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events