Solved: Machine Authentication & Identity Awareness

stich86 · ‎2021-01-09

Hi guys,

we are trying to enable machine authentication using AD machine enrollment, but we see two behaviours:

- the first one is the IP match with IA, after user logon on his laptop, we don't have the related event (that should be get from ADC), so all users rules based con Access Roles are not working

- the MA auth seems to work only with Legacy Login, this expose us to remove DynamicID from the authentication, so if some smart users change the type of login on the CP client can skip the 2FA

Any hints on the two problems?

Thanks in advance!

stich86 · ‎2021-01-10

check this link: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

i think the problem is related to how the recoinciliation works. As i've understood the Remote VPN connector cannot be modified appending an ADQ.

Is it right?

Thanks

View solution in original post

Chris_Atkinson · ‎2021-01-10

To clarify your not seeing the AD/DC side security events for log-on & log-off vs un-lock is the auditing set correctly for the same?

Note these are the priorities of the different Identity Sources:
1. Remote Access (enabled by default)
2. Identity Agent, Terminal Servers Identity Agent
3. Captive Portal, Identity Collector, RADIUS Accounting, Identity Awareness API
4. AD Query

CCSM R77/R80/ELITE

stich86 · ‎2021-01-10

check this link: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

i think the problem is related to how the recoinciliation works. As i've understood the Remote VPN connector cannot be modified appending an ADQ.

Is it right?

Thanks

henryck · ‎2022-09-15

Hi @stich86

I am experiencing the same issue on R81.10 gateways.

Our machine certificate based remote access users are only being recognised by machine identity & not username.

Did you find out what causes this?

Steffen_Appel · ‎2022-11-17

We have the same problem actually.

henryck · ‎2022-11-17

Stitch86 was on the money, its due to reconciliation.

Our configuration was changed on the gateways in pdp_session_conciliation.c with help from TAC

stich86 · ‎2022-11-17

Sorry for late response!

i’m happy that you have solved the issue 🙂

Steffen_Appel · ‎2022-11-17

Can you tell me what you actually did and how it resolved the issue?

stich86 · ‎2022-11-17

You should open a ticket to the TAC, so they can give you the change needed on PDP reconciliation 🙂

Steffen_Appel · ‎2023-01-06

TAC ticket is open but PDP change did not help.

Steffen_Appel · ‎2023-01-10

Just to make sure, you use the machine tunnel before and after logon?

Our supporter claims, that we have to turn the machine tunnel off after logon to get the user information correctly.

Are you a member of CheckMates?

Machine Authentication & Identity Awareness