This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AshleyM
Participant
‎2023-11-16 09:48 AM

Machine Authentication Pre-Windows Login Certificate Issue on Check Point Remote Access VPN

Hello CheckMates Community,

I'm reaching out for some insights regarding a challenge I'm facing with the Check Point Remote Access VPN. Although the initial setup and machine authentication seem to be working fine, I'm encountering a specific issue at the pre-Windows login phase: the authentication certificate required for login isn't showing up.

Brief Overview of the Issue:

  • Successfully set up the Check Point Remote Access VPN and machine authentication. VPN authenticates with machine cert and SAML once logged into windows.
  • The problem occurs at the pre-Windows login stage, where no certificate appears for authentication. SDL is enabled for this, so the VPN client is available at pre-windows login.

Troubleshooting Attempts:

  • Checked the certificate's installation in the Windows certificate store.
  • Configured the VPN client settings to align with certificate requirements.
  • Investigated potential group policy restrictions impacting certificate usage.
  • Updated the VPN client and related drivers.

Despite these steps, the issue remains unresolved. I'm hoping someone in the community might have encountered a similar situation or could offer some advice. Any suggestions or guidance would be greatly appreciated.

EPS-SDL.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Here is some system information:

Host OS = Windows 10

Firewall version = R80.40 (with latest HF)

Here are some guides I've followed:

https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

Solved: Re: Secure Domain Logon with certificate based aut... - Check Point CheckMates

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-...

Looking forward to your responses and thank you in advance for your help!

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-11-20 08:24 AM

Where is the certificate stored in this case?
See also: https://support.checkpoint.com/results/sk/sk121173 

0 Kudos
AshleyM
Participant
‎2023-11-20 11:27 AM
In response to PhoneBoy

Hi, my machine cert is in the personal store, intermediate in the intermediate and the root in the root. The Management server has also got both the Intermediate and the root certs installed. This is because the machine cert is signed by the intermediate as is the server cert configured on the gateway

 

Thanks for the link you shared, however I am using R80.40 on the gateway.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-20 02:05 PM
In response to AshleyM

You're trying to use a CAPI certificate for SDL.
This is not supported and is noted as such in the product documentation: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events