Re: How to setup machine certificate authenticatio...

Herman · ‎2021-11-03

Hello community!
I want to undestand how correctly enable machine certificate for separete VPN access for AD domain machines and AD users.
If I right about this, that for enable this feature I should:

Get root cert and intermediate cert in my CA, added this certs to checkpoint environment (according sk149253) for ability generate CSR request for each future machine cert (and this I have a question, after I get cert, generated from CSR, where it is should putted in user machine? For example in windows machine, in certmgr -> "trusted root cert authorities" or other place?);
In VPN Gateway activate feature "VPN Clients" -> "Authentication" -> select checkbox "Send Machine Certificate";
Finally create rule with AccessRole (of couse, before it, activate Identity awareness for required AD server) in RuleBase as follow:

Please clarify or correct my suggestions about machine certificate option for VPN.

G_W_Albrecht · ‎2021-11-03

sk121173: Machine Certificate Installation on Security Gateway for Authentication to VPN Clients

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

yunier88 · ‎2022-04-26

Hello,

In my case I would like to be able to find some more detailed documentation or a course where I explain how to configure MAchine Certificat. If you found any documentation that explains better how to activate it, I would appreciate it if you shared it

Thanks

G_W_Albrecht · ‎2022-04-26

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

yunier88 · ‎2022-04-26

Thanks for sharing that link, but I can't find all the necessary information is there. For example, nowhere does it explain where and how the certificate is configured on the client side. It also doesn't explain how the client couldn't take the certificate and install it on another computer. This documentation does not help me much, if you have any other information to share I would appreciate it

G_W_Albrecht · ‎2022-04-26

I am not quite sure what you are talking about - the 3rd paragraph reads:

Machine certificate authentication works with the Endpoint Client only. For more details on how to configure this feature on the client side, see Machine Authentication in the E80.72 and Higher Remote Access Clients Administration Guide.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

yunier88 · ‎2022-04-27

Hello,

First of all thank you for your quick response. In the documentation that invites me to follow, there is the configuration of the Endpoint Client and the parameters to set to use a certificate. But I can't find anywhere where it explains:
1- Where to install the certificate on the user's computer.
2-Which certificate to install on the user side
I only find the process of creating and installing the certificate on the gateway, but no documentation explains how to work with this certificate on the client's computer. I hope I have been a little clearer in my doubts
Thank you

JC_S · ‎2022-12-13

Generally speaking, machine authentication certificates are done through Microsoft AD or similar. Group policy can be configured related to auto-enrollment from the Microsoft CA, and enforced through their mechanisms. The machine certificates are stored in the certlm console page (On most Windows computers, just begin typing certificate in and you should see Manage Computer Certificates) which is part of the CAPI store.

If you are manually installing a 3rd party certificate for machine cert, then you will need to make sure you have a way to let your DC know about the machine certificates, as access is generally defined by OU for machine-auth.

LazarusG · ‎2023-01-09

Hi JC_S

The manual points to sk149253 as the first step which has instructions to add 3rd party ipsec certificate. I have had many customers querying this. I have been advising them that only steps 1-14 are relevant and to use only the internal CA tied to their Domain.

Are you saying that I was incorrect and that it is possible to use a third party PKI for this afterall?

If so is there any instruction on how to make AD aware of the 3rd party so that client presented certs will allow authentication against the domain?

Thanks in advance.

yunier88 · ‎2022-04-27

Hello,

I would like to know if you found the answer to your questions. I also need to know where the certificate is installed on the client side.

Thank you

evigl · ‎2022-10-10

Hi all, I'm still straggling myself....in case anyone can provide more detailed info, any help will be much appreciated 🙂

Cheers!

Helen

Mikael · ‎2022-10-11

Hello,

The cert should be placed in the cert-store for local-machine for use with machine-only tunnels.

Howard_Gyton · ‎2023-01-25

For us we have the client certificate in Personal, the CA is in Trusted Root, and the Sub-CA is in "Intermediate Certification". These last two correspond to the Root, and Sub-CA server objects created in SmartConsole respectively. Certs are deployed via Group Policy.

zr4 · ‎2023-01-25

nice

asolari · ‎2023-05-22

In our case we need to carry out a laboratory to later implement it in a client.
We have some doubts because the procedure does not explain in detail. In the case of having a third-party certificate, we are clear about where to add it to the SMS and where to add it to the user's PC, but we have doubts about where to add it in ADDS. And how is the communication generated in the authentication.
Does the PC validate against the SMS certificate and if they are congruent, does it accept the start of the communication, or does the PC validate against the SMS and the SMS against the AD and then return to the PC?
Thank you so much

PhoneBoy · ‎2023-05-22

The certificate is validated as part of the authentication process per the configured third party certificate authority you're using (per it's CRL/OSCP).
Assuming the certificate is valid and matches a known branch, the user is authenticated on the Check Point gateway.
Groups are looked up via LDAP via Active Directory for users.

asolari · ‎2023-05-22

Thank you very much for the reply.
Therefore, it is not necessary that the certificate shared by the PC and the Checkpoint Gateway/Cluster is also included in the ADDS. The client wants to log in via VPN with a certificate without entering a password.

PhoneBoy · ‎2023-05-23

It needs to be a certificate that can be validated by the configure third-party certificate authority.
If you want to log in without a password using a certificate, the certificate will need to be stored in the OS-specific certificate store.
Otherwise, if you're using just a .p12 file, the file will need to be protected with a password (but this can be cached by the client).

asolari · ‎2023-05-25

Thank you so much

Steffen_Appel · ‎2023-06-06

We set it up with the AD integrated CA and enrollment based on AD group membership, that works great.

sambath · ‎2024-01-15

Hello Steffen,

Do you have any idea if we integrate with SAML using identity_provider. I just wonder how the machine_authentication working flow in this scenario.

Regards,
Sambath

Steffen_Appel · ‎2024-01-16

Hi Sambath - unfortunately not

Are you a member of CheckMates?

How to setup machine certificate authentication?