This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Highlighted
Andrew_Kemmy
Participant
‎2020-01-02 03:00 PM

Definition of "CN Occurrance" and parsing of certificate attributes for Mobile Access

Hi and Happy New Year!

I have a TAC case 6-0001868715 open about this but don't have a complete answer from that yet so I thought I would cast the net a bit wider.

My requirement is the following:

1. I have an identity certificate generated from a trusted external CA of an active directory domain ACME.COM with an attribute in the Subject of the certificate "firstname.lastname@acme.com". For the purposes of this post this is the only attribute in the certificate that we can use to identify the username.

2. I require Mobile Access to use the certificate to identify a user in a different Active Directory domain (call it ROADRUNNER.COM, which has no trust or linkage with the first) who's username is firstname.lastname

I understand I can use, in the certificate field of the authentication part of Mobile access settings:

Gateway -> Mobile Access -> Authentication -> Personal Certificate + Username and Password -> Personal Certificate -> Fetch username from custom fields -> Source: Subject | DN Part: email | storage type: any, and also set DN occurrance=1

When I push the above, the gateway extracts "username.lastname@acme.com" from the certificate as the username, however this fails authentication as ROADRUNNER.COM has no username firstname.lastname@acme.com even though it does have a user firstname.lastname

My question - is there any REGEX that can be used in the DN part (or any other method) to extract only firstname.lastname as the username  (from the email address in the subject) rather than firstname.lastname@acme.com?

What do I want this? because for some reason the set-up that I have to work with seems to use a separate domain to generate the certs compared to the domain that does the user authentication, and this "works" because they are careful to ensure all users of both domains use the same firstname.lastname name format.

I understand we could re-issue all the certs with just username.lastname as a CN in the cert and this would make our life easy however this would have high administrative overhead.

How does it work at the moment? It uses a solution from a different company - that seems to work just fine somehow, however I have been asked to migrate the existing solution to Check Point.

If we can get this functionality working it will be a win for Check Point:)

Thanks,

Andrew

 

 

 

 

 

 

 

 

0 Kudos
2 Replies
Highlighted
Andrew_Kemmy
Participant
‎2020-01-02 06:04 PM

Just want to add I am trying a workaround which is to populate the email address from the certificate issued by the first domain into the email address field of the corresponding user in the second domain.

Then use the LDAP field "email address" to do the auth.

This works (though ugly) however I believe I am now running into sk121801 or something similar, this is with R80.20 T118


 

0 Kudos
Highlighted
Andrew_Kemmy
Participant
‎2020-01-02 08:36 PM

I used guidbedit to set 

 

CustomLoginAttr =

 

|(mail=<<>>)(proxyAddresses=smtp:<<>>)

 

(field to modify is described in sk121801)

 

Which fixed the SNX issue.

 

So now at least I have a workaround:)

 

 

 

0 Kudos