This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Unfixed2891
Explorer
2 weeks ago
Jump to solution

Doubts Implement Machine Certificate Authentication

Hello everyone,

I am trying to set up Machine Certificate authentication for VPN Client connection.

I am following the official guide for R81.20 (https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...).

Already at step 1, I have doubts. It states to add the Root CA that issue the Machine Certificate (or so I understand as), but it links to SK149253, which to me, seems about a different topic.

Until point number 14, fair. Seems it focuses about adding CA to SmartConsole, but from point 15 onwards start speaking about generating and externally sign a CSR, which, I don't really follow.

So, is that SK linked only to be followed until point 14, as there are no other specific SK for just adding Root CA, or needs to be followed entirely? And if yes, could someone explain the needs of the subsequent steps regarding the CSR, for Machine Certificate authentication?

Thanks.

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
Jump to solution

Below is what TAC gave me last year after remote we had and that did work:

**********************

- Sessions had been published, but not pushed to the gateways. Much of the configuration has taken place since then.
- Post installation, we needed to perform sk116997 as the CSP used for the machine certificate did not allow the use of SHA256 hashing for authentication.
- While we were trying to correct the machine certificate CSP, users were unable to connect to the remote access VPN as they did not belong to the remote access community. Performed sk91844 to change "fetch_type" to "fetch_options", and disabled "ldap_fetch" to prevent LDAP lookup of group memberships, as we wanted users to match the generic* profile and not LDAP.

Following the successful installation of policy, and the changes detailed in sk116997 and sk91844, we saw machine certificate authentication was being performed during login.

Best,
Andy

View solution in original post

1 Reply
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
Jump to solution

Below is what TAC gave me last year after remote we had and that did work:

**********************

- Sessions had been published, but not pushed to the gateways. Much of the configuration has taken place since then.
- Post installation, we needed to perform sk116997 as the CSP used for the machine certificate did not allow the use of SHA256 hashing for authentication.
- While we were trying to correct the machine certificate CSP, users were unable to connect to the remote access VPN as they did not belong to the remote access community. Performed sk91844 to change "fetch_type" to "fetch_options", and disabled "ldap_fetch" to prevent LDAP lookup of group memberships, as we wanted users to match the generic* profile and not LDAP.

Following the successful installation of policy, and the changes detailed in sk116997 and sk91844, we saw machine certificate authentication was being performed during login.

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events