This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
agk
Explorer
Explorer
2 weeks ago

Device Based Authentication on VPN

Hi all,

 

My customer wants a configuration that only spesific machines(windows with domain/non-domain, and mobile devices) can connect VPN.

1) We cant use SCV because of the non-supported devices.

2)We cant use directly LDAP computer authentication because of the non-domain clients.

--> I have thought client certificate can be used; so I've made some tests;

For mobile devices, it works like a charm. They directly enrolled from the device and enrollment key can not be used again.

 

But for Windows devices; first you need to enroll it; app asks you for a password and create p12 certificate. Then you can import it to your personal certificates, and it works.

Here is the thing about that; it asks password directly from the endpoint user; so they can export this certificate and import it anywhere else and be able to use. We have tested this and the certificate which is working for one computer, had worked on another computer for authentication. 

What customer need is a VPN with p12/pfx certificate(which has password created by customer so end users can not install and export it). I am thinking that there is a proper way to do this; but for a while I couldn't find it. I have checked below:

 

1) https://community.checkpoint.com/t5/Security-Gateways/HowTo-Set-Up-Certificate-Based-VPNs-with-Check...

This seems to be a good guide for using certificate for vpn, but anyways it has no password configuration on anywhere either.

 

2) In remote access admin guide (https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/C...) there is a phrase says:

"The administrator can also initiate a certificate generation on the ICA management tool. It is
also possible to use third-party Certificate Authorities to create certificates for authentication
between Security Gateways and remote users. The supported certificate formats are
PKCS#12, CAPI, and Entrust. "

 

It seems its possible; but I couldn't find how.

 

Thanks a lot, Have a good day!

 

 

 

0 Kudos
(1)
3 Replies
PhoneBoy
Admin
Admin
2 weeks ago

For Domain computers, you can use a Machine Certificate, which is managed via GPO.
This can be required in addition to the regular user authentication.
Those are not exportable, as far as I know.

Whether you can create a machine certificate for a non-domain computer is a separate question.
Because, unfortunately, I don't see how you can allow specific "non-domain" machines without either using SCV or a machine certificate as you can't really restrict the client certificate usage.

0 Kudos
agk
Explorer
Explorer
2 weeks ago
In response to PhoneBoy

Hi PhoneBoy, thanks for your reply.

I think without direct certificate auth; we can use below:

Mobile Devices(Tablet,phone etc)  --> Client Certificate(From internal CA directly) + Username/Password

Windows computers with vpn client (domain and non-domain) --> SCV + Username+Password (Or for domain devices we can use Machine certificate but there is no alternative for non-domain windows machine, it seems that we need to use SCV)

MacOS computers --> ???

 

There is 2 question in here:

1) For windows computers; What SCV type should i need to use for this devices? (For example we can check registry for "HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates" path with installing a spesific certificate.) You have any other suggestion?

2) Do you have any configuration on your mind for MacOS computers?

 

Thanks!

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to agk

You can use SCV on Mac also, but I don't believe you can look for the presence of a certificate using it: https://support.checkpoint.com/results/sk/sk182226 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    CheckMates Events