Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
H2-F1
Participant

Machine AD membership Authentication using Radius/LDAP

Hi Everyone,

I would like to get some guidance on IPSec VPN machine Authentication.

I have an R80.10 cluster XL configured for IPsec VPN and mobile access for remote users using Checkpoint endpoints clients. Authentication is currently done via radius for domain users only, I want to ensure that only corporate machines (AD joined) can connect, so anyone installing the client on their personal laptop/computer will be denied.

To do this, I enabled the Identity awareness blade and added an access role where I defined the Domain Computers and Domain Users AD groups in the relevant fields. I added this to the firewall rule (as source) where the VPN community is allowed to access internal subnets. However this did not work, Can anyone provide some guidance on how to get this done? I went through the R80.10 admin guide but this does not explain how to configure such authentication.

I found an article which refers to Machine Cert Authentication, but this not what I'm after, I only to check the laptops hostname against Radius.

Machine Certificate Installation on Security Gateway for Authentication to VPN Clients

Thanks in advance.

5 Replies
PhoneBoy
Admin
Admin

What flavor of the VPN client are you using?

You can enforce this on the client itself using SCV or the Compliance Blade.

See this thread for related discussion: https://community.checkpoint.com/message/17366-remote-access-configuration-and-compliance-help 

0 Kudos
H2-F1
Participant

I'm using E80.85 for the client, I've looked at the SCV solution and as the chap in the other thread said it looks complicated and messy and I will probably not be able to complete it in the allocated time I have. I will take a look at the compliance blade solution on Monday (assuming this can be enabled on the FW) and feedback.

On a separate note, I am also planning on setting up IKEv2 VPN on IOS devices which I will also need to ensure that only corporate Phones/Tablets are allowed to connect.

1- Can CP do MAB raidus checks?

2- Can the compliance blade solution above be integrated with IOS devices?

Thanks

PhoneBoy
Admin
Admin

What do you mean by "MAB RADIUS checks"?

The Compliance checks will only function on managed Mac/Windows VPN clients and do not apply to iOS/Android devices.

0 Kudos
H2-F1
Participant

I was wondering if I registered IOS devices' MAC address in a security group (such as Cisco ISE) as they get enrolled for other services. Could I get CP to send an authorisation request/Check (as is done for WLC/NAC deployments) to query if this MAC is in the registered security group, before allowing it to connect to a VPN.

The only alternative is to push a certificate via MDM.

Thanks

0 Kudos
PhoneBoy
Admin
Admin

You can definitely use RADIUS for authentication on VPN, but I'm not sure we send any extended attributes as part of the authentication request.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events