Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Herman
Contributor

How to setup machine certificate authentication?

Hello community!
I want to undestand how correctly enable machine certificate for separete VPN access for AD domain machines and AD users.
If I right about this, that for enable this feature I should:

  1. Get root cert and intermediate cert in my CA, added this certs to checkpoint environment (according sk149253) for ability generate CSR request for each future machine cert (and this I have a question, after I get cert, generated from CSR, where it is should putted in user machine? For example in windows machine, in certmgr -> "trusted root cert authorities" or other place?);
  2. In VPN Gateway activate feature "VPN Clients" -> "Authentication" -> select checkbox "Send Machine Certificate";
  3. Finally create rule with AccessRole (of couse, before it, activate Identity awareness for required AD server) in RuleBase as follow:
     
    vpnrules.jpg

Please clarify or correct my suggestions about machine certificate option for VPN.

0 Kudos
(1)
21 Replies
G_W_Albrecht
Legend
Legend

0 Kudos
yunier88
Participant

Hello,

In my case I would like to be able to find some more detailed documentation or a course where I explain how to configure MAchine Certificat. If you found any documentation that explains better how to activate it, I would appreciate it if you shared it

 

Thanks

0 Kudos
G_W_Albrecht
Legend
Legend

0 Kudos
yunier88
Participant

Thanks for sharing that link, but I can't find all the necessary information is there. For example, nowhere does it explain where and how the certificate is configured on the client side. It also doesn't explain how the client couldn't take the certificate and install it on another computer. This documentation does not help me much, if you have any other information to share I would appreciate it

0 Kudos
G_W_Albrecht
Legend
Legend

I am not quite sure what you are talking about - the 3rd paragraph reads:

Machine certificate authentication works with the Endpoint Client only. For more details on how to configure this feature on the client side, see Machine Authentication in the E80.72 and Higher Remote Access Clients Administration Guide.

CCSE CCTE CCSM SMB Specialist
0 Kudos
yunier88
Participant

Hello,

First of all thank you for your quick response. In the documentation that invites me to follow, there is the configuration of the Endpoint Client and the parameters to set to use a certificate. But I can't find anywhere where it explains:
1- Where to install the certificate on the user's computer.
2-Which certificate to install on the user side
I only find the process of creating and installing the certificate on the gateway, but no documentation explains how to work with this certificate on the client's computer. I hope I have been a little clearer in my doubts
Thank you

0 Kudos
JC_S
Employee
Employee

Generally speaking, machine authentication certificates are done through Microsoft AD or similar.  Group policy can be configured related to auto-enrollment from the Microsoft CA, and enforced through their mechanisms.  The machine certificates are stored in the certlm console page (On most Windows computers, just begin typing certificate in and you should see Manage Computer Certificates) which is part of the CAPI store.

If you are manually installing a 3rd party certificate for machine cert, then you will need to make sure you have a way to let your DC know about the machine certificates, as access is generally defined by OU for machine-auth.

0 Kudos
LazarusG
Participant
Participant

Hi JC_S 

The manual points to sk149253 as the first step which has instructions to add 3rd party ipsec certificate. I have had many customers querying this. I have been advising them that only steps 1-14 are relevant and to use only the internal CA tied to their Domain. 

Are you saying that I was incorrect and that it is possible to use a third party PKI for this afterall?

If so is there any instruction on how to make AD aware of the 3rd party so that client presented certs will allow authentication against the domain?

Thanks in advance.

0 Kudos
yunier88
Participant

Hello,

I would like to know if you found the answer to your questions. I also need to know where the certificate is installed on the client side.

Thank you

0 Kudos
evigl
Explorer

Hi all, I'm still straggling myself....in case anyone can provide more detailed info, any help will be much appreciated 🙂 

 

Cheers!

 

Helen

0 Kudos
Mikael
Collaborator
Collaborator

Hello,

The cert should be placed in the cert-store for local-machine for use with machine-only tunnels.

2019-01-10_14-30-58.jpg

0 Kudos
Howard_Gyton
Advisor

For us we have the client certificate in Personal, the CA is in Trusted Root, and the Sub-CA is in "Intermediate Certification".  These last two correspond to the Root, and Sub-CA server objects created in SmartConsole respectively.  Certs are deployed via Group Policy.

zr4
Participant

nice

0 Kudos
asolari
Explorer

In our case we need to carry out a laboratory to later implement it in a client.
We have some doubts because the procedure does not explain in detail. In the case of having a third-party certificate, we are clear about where to add it to the SMS and where to add it to the user's PC, but we have doubts about where to add it in ADDS. And how is the communication generated in the authentication.
Does the PC validate against the SMS certificate and if they are congruent, does it accept the start of the communication, or does the PC validate against the SMS and the SMS against the AD and then return to the PC?
Thank you so much

0 Kudos
PhoneBoy
Admin
Admin

The certificate is validated as part of the authentication process per the configured third party certificate authority you're using (per it's CRL/OSCP).
Assuming the certificate is valid and matches a known branch, the user is authenticated on the Check Point gateway.
Groups are looked up via LDAP via Active Directory for users.

asolari
Explorer

Thank you very much for the reply.
Therefore, it is not necessary that the certificate shared by the PC and the Checkpoint Gateway/Cluster is also included in the ADDS. The client wants to log in via VPN with a certificate without entering a password.

0 Kudos
PhoneBoy
Admin
Admin

It needs to be a certificate that can be validated by the configure third-party certificate authority.
If you want to log in without a password using a certificate, the certificate will need to be stored in the OS-specific certificate store.
Otherwise, if you're using just a .p12 file, the file will need to be protected with a password (but this can be cached by the client).

0 Kudos
asolari
Explorer

Thank you so much

0 Kudos
Steffen_Appel
Advisor

We set it up with the AD integrated CA and enrollment based on AD group membership, that works great.

0 Kudos
sambath
Participant

Hello Steffen,

Do you have any idea if we integrate with SAML using identity_provider. I just wonder how the machine_authentication working flow in this scenario. 

Regards,
Sambath

0 Kudos
Steffen_Appel
Advisor

Hi Sambath - unfortunately not

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events