This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
leonarit
Contributor
2 weeks ago

IPSEC RA VPN SAML and custom ttm files

Hello,

 

I’m testing the ipsec ra vpn saml integration (R81.10 JHF 156) in our lab with multiple EntraID tenants and so far the auth process works fine and I’m able to leverage the group claims in the saml responses(attribute group_attr) and associate them to Access Roles, I even discovered in sk179788 that there is a way of using the IA blade with the AzureAD directory to fetch the group of the saml authenticated user without the need to use the groups receive in the saml claim(group_attr).

 

In addition to saml auth process and IA management, I need also to be able to use the saml groups in the ipassignment.conf file (reserved IPs for specific groups) and custom ttm files (for custom split tunneling settings for specific groups)

 

The ipassignment.conf works fine with the “EXT_ID_samlgroup” and the vpn blade assigns the correct om ip from the specific group. The only issue that I’m having is with the custom ttm files.

 

I did some debugs to the vpn (vpn debug trunc ALL=5) and analyzed both log files, $FWDIR/log/vpnd.elg and $FWDIR/log/iked.elg.

 

The ike/iked takes care of the initial saml authentication and group identification and adds the prefix EXT_ID to the saml groups, it then passes those groups to the vpn/vpnd, If the vpnd detects a group with a prefix ttm_ it will try to fetch the relevant ttm from the config folder $FWDIR/conf. The issue here is that the ike/iked prefixes the group with EXT_ID and that makes it impossible to have a saml group that starts with ttm_.

 

I’ve come with a solution but it affects the whole user domain, I created an external user profile that matches only the domain of the user authenticated through saml and added this user external profile to an internal group (ttm_group1domain1). This workaround only work for the whole user domain and I can’t use a specific user saml group only. I tried to do a combination of nested groups with saml group(EXT_ID) inside an internal group (ttm_) and vice versa but it didn't work.

 

Before engaging with cp tac, I would like to know if anyone was able to do a setup using saml groups and ttm files.

 

Relevant sks:

Remote Access clients configuration based on group membership

Office Mode IP and ipassignment.conf file

ATRG: VPN Core

 

Regards.

0 Kudos
0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events