Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

Machine certificate authentication on R80.20

I have an end customer who wants to be able to deploy machine authentication for clients and username and password but then if they have people using their own PC, they will use the clientless portal (SNX). 

 

Following SK121173, we obtained the hotfix "fw1_wrapper_HOTFIX_R80_20_JHF_T114_469_470_MAIN_GA_FULL" from our local SE. 

 

If I implement the following, we are able to log in with just username and password: -

ckp_regedit -a SOFTWARE/CheckPoint/VPN1 machine_cert_auth 1

 

But if I enforce machine certificate authentication by running ckp_regedit -a SOFTWARE/CheckPoint/VPN1 machine_cert_auth 2 , it fails. 

At first I was receiving an error stating the CRL could not be fetched. I disabled this by unchecking the option on the trusted CA server object as I wanted to be able to test it working first. 

I now get the following error: -

"Connection Failed: Machine certificate is required". 

 

I generated a certificate and installed on the client PC but still get the same error message. 

Does the certificate have to be installed in a particular certificate store?

 

0 Kudos
2 Replies
Highlighted
Admin
Admin

Yes, it needs to be a machine certificate from the Windows System Store.
Note that if you have multiple machine certs, we will choose the one with the longest expiration date to authenticate with.
0 Kudos
Highlighted
Nickel

The issue was resolved by adding the Root CA as a trusted CA server and importing that certificate. The subs wouldn't work. This solution was in collaboration with Check Point R&D. 

 

I have asked for the SK121173 to be updated but doesn't look like it has yet.

0 Kudos