This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Claudio_Bartoli
Explorer
‎2019-03-06 10:14 AM

Established VPN connection via Endpoint Security make me unable to login on OsX

Hi all,

I'm facing a very strange behaviour using Endpoint Security E80.89 on OsX High Sierra 10.13.6.

When I'm connected in VPN I'm unable to login on my own computer in different ways:

Command Line

Simply opening a Terminal app on on my mac, bash does not start normally.

The terminal says:

Login incorrect

login: 

I work a lot with Terminals, and I would like to open any bash terminal in any conditions Smiley Happy 

Login Page

If I lock the screen, to take a coffee in example, I'm unable to login again to my computer.

The only way that I found is to cut the power in a very unsafe way.

Is anyone facing the same behaviour and can I workaround this ?

It's really annoying

Claudio

0 Kudos
9 Replies
G_W_Albrecht
Legend
Legend
‎2019-03-07 05:43 AM

I have never heard of such an issue - what about the User Accounts on the Mac ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
Claudio_Bartoli
Explorer
‎2019-03-07 06:29 AM
In response to G_W_Albrecht

The Mac is on ActiveDirectory domain and the user is LDAP user.

User has admin rights locally on the machine.

0 Kudos
G_W_Albrecht
Legend
Legend
‎2019-03-07 11:57 PM
In response to Claudio_Bartoli

I would suggest to involve TAC here !

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-09 08:27 AM

I ran into this problem a while back and was able to resolve it.

I don't remember exactly what I did to resolve it, but you might try some of the suggestions here: Mac OS X Terminal not logging in - Super User 

0 Kudos
Claudio_Bartoli
Explorer
‎2019-03-09 09:07 AM
In response to PhoneBoy

I'm not sure is the same things.

My issue is not limited to the terminal but invoves the whole os!

If I lock my user while VPN connection is established I'm out and I'm not able to connect again.

With VPN disconnected both OsX login and Terminal works as expected.

With VPN connected I'm unable to start a new terminal and a re-login to an opened OsX session.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-09 09:13 AM
In response to Claudio_Bartoli

As Gunther suggested earlier, a TAC case is probably in order then.

How To Open a Case with TAC and/or Account Services

0 Kudos
Claudio_Bartoli
Explorer
‎2019-03-09 09:22 AM
In response to PhoneBoy

I have not a direct support agreement with Check Point.

A customer gave me a checkpoint VPN but is quite impossibile to involve them to make a TAC request on my behalf.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-09 09:34 AM
In response to Claudio_Bartoli

The VPN client on the Mac is meant for endpoints managed by the organization.

It includes (among other things) a desktop firewall, which may be partially responsible for what's happening.

The SNX client with Mobile Access Blade might be better for your use case.

However, your customer would need to have this configured.

0 Kudos
Claudio_Bartoli
Explorer
‎2019-03-20 03:45 PM
In response to PhoneBoy

I had finally resolved my issue.

I figured out that OsX  query LDAP server on each single login without any kind of caching by default.

In my case i was on iMac with ethernet connectivity.

 

To enable LDAP cache feature, the OsX account must be a Mobile Account.
https://community.spiceworks.com/topic/103386-active-directory-user-login-in-macosx

 

Maybe the active VPN, make the system unable to figure out witch is the domain controller (maybe the main cause could be the default DNS suffix rewrite ?)

0 Kudos