This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
scottikon
Contributor
‎2020-04-28 08:53 AM

Machine certificate authentication on R80.20

I have an end customer who wants to be able to deploy machine authentication for clients and username and password but then if they have people using their own PC, they will use the clientless portal (SNX). 

 

Following SK121173, we obtained the hotfix "fw1_wrapper_HOTFIX_R80_20_JHF_T114_469_470_MAIN_GA_FULL" from our local SE. 

 

If I implement the following, we are able to log in with just username and password: -

ckp_regedit -a SOFTWARE/CheckPoint/VPN1 machine_cert_auth 1

 

But if I enforce machine certificate authentication by running ckp_regedit -a SOFTWARE/CheckPoint/VPN1 machine_cert_auth 2 , it fails. 

At first I was receiving an error stating the CRL could not be fetched. I disabled this by unchecking the option on the trusted CA server object as I wanted to be able to test it working first. 

I now get the following error: -

"Connection Failed: Machine certificate is required". 

 

I generated a certificate and installed on the client PC but still get the same error message. 

Does the certificate have to be installed in a particular certificate store?

 

Preview file
67 KB
0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2020-04-28 10:25 AM

Yes, it needs to be a machine certificate from the Windows System Store.
Note that if you have multiple machine certs, we will choose the one with the longest expiration date to authenticate with.
0 Kudos
scottikon
Contributor
‎2020-06-24 06:24 AM
In response to PhoneBoy

The issue was resolved by adding the Root CA as a trusted CA server and importing that certificate. The subs wouldn't work. This solution was in collaboration with Check Point R&D. 

 

I have asked for the SK121173 to be updated but doesn't look like it has yet.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events