This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Heath_Mote
Collaborator
‎2018-04-23 03:46 PM

Mobile Access Encryption

I need some guidance on this...

I have R80.10 management and some of my gateways are still on R77.30 so I can't use the Access Roles in the source and still use the Remote Access VPN group. So on these sites, I would like to use the Legacy User (LDAP User) in the source but my rules aren't matching after connecting to VPN; please see another recent user post on this subject to view my setup there. This got me to thinking and to my questions:

- Is the Remote Access VPN encrypted from the end point client to the gateway even if I don't have the Remote Access VPN community set? Remember above that I can't get my LDAP group to match the user.

- If this is the case, to get down to the level of user auth to the destination with an R77.30 gateway, would it be recommended to use the Access Roles in the source and NOT use the Remote Access VPN community?

In the future we are planning to upgrade everything to R80.XX but we are having troubles with getting the granularity we need on the VPN. Also, we do have Identity Awareness enabled and working as well.

0 Kudos
2 Replies
Dor_Marcovitch
Advisor
‎2018-04-24 12:05 AM

hey

for R77.30 GW from what i know if you want to use an LDAP group on the MOB policy you will need to use an LDAP group that is member of a local user group. this is the supported way.

using an LDAP group directly on the MOB policy can work.. but may cause problems.

Access Role is not supported on MOB policy

if this is a native app because the encryption domain is built up from the MOB rules (with a lot of ***) it is a good way to check the routing table on the client side after connecting to see if the routes exist there.

also on the logs you can see which application and groups are matched for the user.

debugs can be taken for the VPND and CVPND to get the authentication and user's group membership which is done on the authentication step

thanks

Heath_Mote
Collaborator
‎2018-04-24 06:40 AM
In response to Dor_Marcovitch

On the Mobile Access Policy I'm just saying that "all users" can authenticate because I'm doing my authentication with RADUIS and 2FA. So connecting to the VPN and getting the routes in the Remote Access encryption domain is good. Now I just need to apply my authorization via the Security Policy and having issues in R77 since I can't use the Access Roles and also set the VPN community to Remote Access. I'm trying to use the Legacy with LDAP groups but that isn't matching for some reason.

When you say "you will need to use an LDAP group that is member of a local user group. this is the supported way."...do you mean that I need to create a local user that matches the username in LDAP to get the Legacy User Auth to work in the Security Policy?

Thanks so much for the response and I'm going to dig into the VPND and CVPND debugs today just to see what information these hold. Thanks again for the response and extra tips on debugging!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events