This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
agk
Explorer
Explorer
yesterday

Device Based Authentication on VPN

Hi all,

 

My customer wants a configuration that only spesific machines(windows with domain/non-domain, and mobile devices) can connect VPN.

1) We cant use SCV because of the non-supported devices.

2)We cant use directly LDAP computer authentication because of the non-domain clients.

--> I have thought client certificate can be used; so I've made some tests;

For mobile devices, it works like a charm. They directly enrolled from the device and enrollment key can not be used again.

 

But for Windows devices; first you need to enroll it; app asks you for a password and create p12 certificate. Then you can import it to your personal certificates, and it works.

Here is the thing about that; it asks password directly from the endpoint user; so they can export this certificate and import it anywhere else and be able to use. We have tested this and the certificate which is working for one computer, had worked on another computer for authentication. 

What customer need is a VPN with p12/pfx certificate(which has password created by customer so end users can not install and export it). I am thinking that there is a proper way to do this; but for a while I couldn't find it. I have checked below:

 

1) https://community.checkpoint.com/t5/Security-Gateways/HowTo-Set-Up-Certificate-Based-VPNs-with-Check...

This seems to be a good guide for using certificate for vpn, but anyways it has no password configuration on anywhere either.

 

2) In remote access admin guide (https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/C...) there is a phrase says:

"The administrator can also initiate a certificate generation on the ICA management tool. It is
also possible to use third-party Certificate Authorities to create certificates for authentication
between Security Gateways and remote users. The supported certificate formats are
PKCS#12, CAPI, and Entrust. "

 

It seems its possible; but I couldn't find how.

 

Thanks a lot, Have a good day!

 

 

 

0 Kudos
(1)
1 Reply
PhoneBoy
Admin
Admin
yesterday

For Domain computers, you can use a Machine Certificate, which is managed via GPO.
This can be required in addition to the regular user authentication.
Those are not exportable, as far as I know.

Whether you can create a machine certificate for a non-domain computer is a separate question.
Because, unfortunately, I don't see how you can allow specific "non-domain" machines without either using SCV or a machine certificate as you can't really restrict the client certificate usage.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events