This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AmitS
Participant
‎2023-02-24 03:43 AM
Jump to solution

Need to Allow only specific MAC address systems to connect via RAVPN

Hi Guys,

We have a requirement that only specific MAC/company assigned laptops should only be able to connect to company RAVPN to access Internal resources. If a user tries to login via any other system then user should not be able to connect to VPN.

Can we achieve this via any MAC check or MAC binding via Endpoint Client when a user tries to connect to VPN.

In SCV check there is no such direct option to check this.

Apart from MAC if any other checks or Checkpoint config can achieve this then its most welcomed!!

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-02-24 06:53 PM
Jump to solution

The way organizations typically enforce this is one of:

  • Machine Certificate (supported as an auth method from R80.40)
  • Checking for a specific registry key (e.g. if joined to an Active Directory).

We don't do enforcement by MAC for Remote Access clients.

View solution in original post

0 Kudos
9 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-02-24 04:51 AM
Jump to solution

Im not aware of such option, but if you have IA enabled and AD integrated, you can always configure access roles and configure ACL that way. I did that for many customers and workes with no issues.

Best,
Andy
0 Kudos
AmitS
Participant
‎2023-02-26 09:40 PM
In response to the_rock
Jump to solution

Hi, 

but will access roles work for RAVPN policy?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-27 03:32 PM
In response to AmitS
Jump to solution

Not only can you build Remote Access policy with Access Roles, you can build Remote Access-specific Access Roles.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-24 06:53 PM
Jump to solution

The way organizations typically enforce this is one of:

  • Machine Certificate (supported as an auth method from R80.40)
  • Checking for a specific registry key (e.g. if joined to an Active Directory).

We don't do enforcement by MAC for Remote Access clients.

0 Kudos
AmitS
Participant
‎2023-02-26 09:42 PM
In response to PhoneBoy
Jump to solution

Hi,

To use Machine certificate the system needs to have an machine entry in AD server, right?

Also does the remote system needs to be a part of company domain or workgroup systems, since the remote systems cannot be a part of domain right?

 

0 Kudos
_Val_
Admin
Admin
‎2023-02-27 12:50 AM
In response to AmitS
Jump to solution

Yes, the PC should be defined in AD. Look into your Remote Access Admin guide, under "Machine Certificate" section, for example: https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_RemoteAccessVPN_AdminGuide/T...

0 Kudos
AmitS
Participant
‎2023-02-27 08:56 PM
In response to PhoneBoy
Jump to solution

Hi,

Which certificate needs to be present on the endpoint, CA certificate right?

I have the AD provided CA certificate on the endpoint as my AD is CA &  I have generated certificate from there as Trusted CA.

Still error observed. I am referring sk173173 as well.

CertManager::EnumCertificates: __end__ 18:37:30.496. Total time - 0 milliseconds
[ 7200 13432][27 Feb 18:37:30][RaisCertManager] RaisCertManager::CertManager::GetCertByName: Searching the certificate in the machine's store.
[ 7200 13432][27 Feb 18:37:30][RaisCertManager] RaisCertManager::CertManager::GetCertByName: CertManager::GetCertByName: Pushing DN = [CN=poclab-POCDC-CA,DC=poclab,DC=com]
[ 7200 13432][27 Feb 18:37:30][RaisCertManager] RaisCertManager::CertManager::GetCertByName: CertManager::GetCertByName: Pushing DN = [O=CPMGMT..526xt3]
[ 7200 13432][27 Feb 18:37:30][RaisCertManager] RaisCertManager::CertManager::GetCertByName: temp_cert is null!! => No cert was found with the given cert_name= [CN=poclab-POCDC-CA,DC=poclab,DC=com;O=CPMGMT..526xt3]
[ 7200 13432][27 Feb 18:37:30][RaisCertManager] CertManager::GetCertByName: __end__ 18:37:30.496. Total time - 0 milliseconds
[ 7200 13432][27 Feb 18:37:30][IKE] MM4PacketHandler: A matching certificate for the machine was not found. Continue without it.
[ 7200 13432][27 Feb 18:37:30][IKE] **** create_MM5(hybrid authentication): Create packet 5
[ 7200 13432][27 Feb 18:37:30][clips_gen_utils] ClipsGeneralUtils::getSerializedAuthenticationBlob: Entering...
[ 7200 13432][27 Feb 18:37:30][IKE] create_MM5(hybrid authentication): authentication blob (
:clientType (TRAC)
:oldSessionId ()
:protocolVersion (100)
:client_mode (endpoint_security)
:selected_realm_id (vpn_Username_Password)
:secondary_realm_hash (c81e728d9d4c2f636f067f89cc14862c)
:client_logging_data (
:device_id ("{F70FE1F2-D81C-4642-BF49-F2ADF1DC8B43}")
:client_name ("Endpoint Security VPN")
:client_ver (E86.70)
:client_build_number (986104207)
:device_type (PC)
:os_name (Windows)
:os_version (10)
:os_edition (Enterprise)

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-28 09:25 AM
In response to AmitS
Jump to solution

The certificate that needs to be present is machine specific.

Please refer to the documentation: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

0 Kudos
Robert_M_Nubile
Participant
Participant
‎2024-09-25 09:55 AM
Jump to solution

You can do that using an external DHCP Server. Each endpoint client has its own mac address, so you can tie this mac addres in the DHCP Server and only the mac addresses that is tied in the DHCP Server will be able to receive an ip address.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events