- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi and Happy New Year!
I have a TAC case 6-0001868715 open about this but don't have a complete answer from that yet so I thought I would cast the net a bit wider.
My requirement is the following:
1. I have an identity certificate generated from a trusted external CA of an active directory domain ACME.COM with an attribute in the Subject of the certificate "firstname.lastname@acme.com". For the purposes of this post this is the only attribute in the certificate that we can use to identify the username.
2. I require Mobile Access to use the certificate to identify a user in a different Active Directory domain (call it ROADRUNNER.COM, which has no trust or linkage with the first) who's username is firstname.lastname
I understand I can use, in the certificate field of the authentication part of Mobile access settings:
Gateway -> Mobile Access -> Authentication -> Personal Certificate + Username and Password -> Personal Certificate -> Fetch username from custom fields -> Source: Subject | DN Part: email | storage type: any, and also set DN occurrance=1
When I push the above, the gateway extracts "username.lastname@acme.com" from the certificate as the username, however this fails authentication as ROADRUNNER.COM has no username firstname.lastname@acme.com even though it does have a user firstname.lastname
My question - is there any REGEX that can be used in the DN part (or any other method) to extract only firstname.lastname as the username (from the email address in the subject) rather than firstname.lastname@acme.com?
What do I want this? because for some reason the set-up that I have to work with seems to use a separate domain to generate the certs compared to the domain that does the user authentication, and this "works" because they are careful to ensure all users of both domains use the same firstname.lastname name format.
I understand we could re-issue all the certs with just username.lastname as a CN in the cert and this would make our life easy however this would have high administrative overhead.
How does it work at the moment? It uses a solution from a different company - that seems to work just fine somehow, however I have been asked to migrate the existing solution to Check Point.
If we can get this functionality working it will be a win for Check Point:)
Thanks,
Andrew
Just want to add I am trying a workaround which is to populate the email address from the certificate issued by the first domain into the email address field of the corresponding user in the second domain.
Then use the LDAP field "email address" to do the auth.
This works (though ugly) however I believe I am now running into sk121801 or something similar, this is with R80.20 T118
I used guidbedit to set
CustomLoginAttr =
|(mail=<<>>)(proxyAddresses=smtp:<<>>)
(field to modify is described in sk121801)
Which fixed the SNX issue.
So now at least I have a workaround:)
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY