Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AmitS
Explorer
Jump to solution

Need to Allow only specific MAC address systems to connect via RAVPN

Hi Guys,

We have a requirement that only specific MAC/company assigned laptops should only be able to connect to company RAVPN to access Internal resources. If a user tries to login via any other system then user should not be able to connect to VPN.

Can we achieve this via any MAC check or MAC binding via Endpoint Client when a user tries to connect to VPN.

In SCV check there is no such direct option to check this.

Apart from MAC if any other checks or Checkpoint config can achieve this then its most welcomed!!

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

The way organizations typically enforce this is one of:

  • Machine Certificate (supported as an auth method from R80.40)
  • Checking for a specific registry key (e.g. if joined to an Active Directory).

We don't do enforcement by MAC for Remote Access clients.

View solution in original post

0 Kudos
9 Replies
the_rock
Legend
Legend

Im not aware of such option, but if you have IA enabled and AD integrated, you can always configure access roles and configure ACL that way. I did that for many customers and workes with no issues.

0 Kudos
AmitS
Explorer

Hi, 

but will access roles work for RAVPN policy?

0 Kudos
PhoneBoy
Admin
Admin

Not only can you build Remote Access policy with Access Roles, you can build Remote Access-specific Access Roles.

0 Kudos
PhoneBoy
Admin
Admin

The way organizations typically enforce this is one of:

  • Machine Certificate (supported as an auth method from R80.40)
  • Checking for a specific registry key (e.g. if joined to an Active Directory).

We don't do enforcement by MAC for Remote Access clients.

0 Kudos
AmitS
Explorer

Hi,

To use Machine certificate the system needs to have an machine entry in AD server, right?

Also does the remote system needs to be a part of company domain or workgroup systems, since the remote systems cannot be a part of domain right?

 

0 Kudos
_Val_
Admin
Admin

Yes, the PC should be defined in AD. Look into your Remote Access Admin guide, under "Machine Certificate" section, for example: https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_RemoteAccessVPN_AdminGuide/T...

0 Kudos
AmitS
Explorer

Hi,

Which certificate needs to be present on the endpoint, CA certificate right?

I have the AD provided CA certificate on the endpoint as my AD is CA &  I have generated certificate from there as Trusted CA.

Still error observed. I am referring sk173173 as well.

CertManager::EnumCertificates: __end__ 18:37:30.496. Total time - 0 milliseconds
[ 7200 13432][27 Feb 18:37:30][RaisCertManager] RaisCertManager::CertManager::GetCertByName: Searching the certificate in the machine's store.
[ 7200 13432][27 Feb 18:37:30][RaisCertManager] RaisCertManager::CertManager::GetCertByName: CertManager::GetCertByName: Pushing DN = [CN=poclab-POCDC-CA,DC=poclab,DC=com]
[ 7200 13432][27 Feb 18:37:30][RaisCertManager] RaisCertManager::CertManager::GetCertByName: CertManager::GetCertByName: Pushing DN = [O=CPMGMT..526xt3]
[ 7200 13432][27 Feb 18:37:30][RaisCertManager] RaisCertManager::CertManager::GetCertByName: temp_cert is null!! => No cert was found with the given cert_name= [CN=poclab-POCDC-CA,DC=poclab,DC=com;O=CPMGMT..526xt3]
[ 7200 13432][27 Feb 18:37:30][RaisCertManager] CertManager::GetCertByName: __end__ 18:37:30.496. Total time - 0 milliseconds
[ 7200 13432][27 Feb 18:37:30][IKE] MM4PacketHandler: A matching certificate for the machine was not found. Continue without it.
[ 7200 13432][27 Feb 18:37:30][IKE] **** create_MM5(hybrid authentication): Create packet 5
[ 7200 13432][27 Feb 18:37:30][clips_gen_utils] ClipsGeneralUtils::getSerializedAuthenticationBlob: Entering...
[ 7200 13432][27 Feb 18:37:30][IKE] create_MM5(hybrid authentication): authentication blob (
:clientType (TRAC)
:oldSessionId ()
:protocolVersion (100)
:client_mode (endpoint_security)
:selected_realm_id (vpn_Username_Password)
:secondary_realm_hash (c81e728d9d4c2f636f067f89cc14862c)
:client_logging_data (
:device_id ("{F70FE1F2-D81C-4642-BF49-F2ADF1DC8B43}")
:client_name ("Endpoint Security VPN")
:client_ver (E86.70)
:client_build_number (986104207)
:device_type (PC)
:os_name (Windows)
:os_version (10)
:os_edition (Enterprise)

0 Kudos
PhoneBoy
Admin
Admin

The certificate that needs to be present is machine specific.

Please refer to the documentation: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

0 Kudos
Robert_M_Nubile
Explorer
Explorer

You can do that using an external DHCP Server. Each endpoint client has its own mac address, so you can tie this mac addres in the DHCP Server and only the mac addresses that is tied in the DHCP Server will be able to receive an ip address.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events