Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

Definition of "CN Occurrance" and parsing of certificate attributes for Mobile Access

Hi and Happy New Year!

I have a TAC case 6-0001868715 open about this but don't have a complete answer from that yet so I thought I would cast the net a bit wider.

My requirement is the following:

1. I have an identity certificate generated from a trusted external CA of an active directory domain ACME.COM with an attribute in the Subject of the certificate "firstname.lastname@acme.com". For the purposes of this post this is the only attribute in the certificate that we can use to identify the username.

2. I require Mobile Access to use the certificate to identify a user in a different Active Directory domain (call it ROADRUNNER.COM, which has no trust or linkage with the first) who's username is firstname.lastname

I understand I can use, in the certificate field of the authentication part of Mobile access settings:

Gateway -> Mobile Access -> Authentication -> Personal Certificate + Username and Password -> Personal Certificate -> Fetch username from custom fields -> Source: Subject | DN Part: email | storage type: any, and also set DN occurrance=1

When I push the above, the gateway extracts "username.lastname@acme.com" from the certificate as the username, however this fails authentication as ROADRUNNER.COM has no username firstname.lastname@acme.com even though it does have a user firstname.lastname

My question - is there any REGEX that can be used in the DN part (or any other method) to extract only firstname.lastname as the username  (from the email address in the subject) rather than firstname.lastname@acme.com?

What do I want this? because for some reason the set-up that I have to work with seems to use a separate domain to generate the certs compared to the domain that does the user authentication, and this "works" because they are careful to ensure all users of both domains use the same firstname.lastname name format.

I understand we could re-issue all the certs with just username.lastname as a CN in the cert and this would make our life easy however this would have high administrative overhead.

How does it work at the moment? It uses a solution from a different company - that seems to work just fine somehow, however I have been asked to migrate the existing solution to Check Point.

If we can get this functionality working it will be a win for Check Point:)

Thanks,

Andrew

 

 

 

 

 

 

 

 

0 Kudos
Reply
2 Replies
Highlighted
Participant

Just want to add I am trying a workaround which is to populate the email address from the certificate issued by the first domain into the email address field of the corresponding user in the second domain.

Then use the LDAP field "email address" to do the auth.

This works (though ugly) however I believe I am now running into sk121801 or something similar, this is with R80.20 T118


 

0 Kudos
Reply
Highlighted
Participant

I used guidbedit to set 

 

CustomLoginAttr =

 

|(mail=<<>>)(proxyAddresses=smtp:<<>>)

 

(field to modify is described in sk121801)

 

Which fixed the SNX issue.

 

So now at least I have a workaround:)

 

 

 

0 Kudos
Reply