This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bodhi
Explorer
‎2023-01-16 01:43 AM

RAS authentication continues to work after Active Directory account is disabled.

Hi,

I’ve been working on setting up Machine and Personal certificates authentication for Remote Access VPN users for our customer and both are working fine.

As part of the testing however, the customer disabled the test Active Directory(AD) user account, but the user was still able to authenticate the VPN for more than an hour after the account was disabled. I found that if I installed the Security Policy as part of disabling/enabling an AD user account the changes were immediate, but the customer understandably thinks that disabling an AD account should be sufficient to immediately revoke a user’s access.

I’m not concerned with any sessions that might already be active as these can be disconnected. I’m only interested in preventing new Remote Access connections immediately after the AD account has been disabled.

Does anyone know how to change this behaviour so that after an AD account has been disabled, it cannot be used to authenticate the Remote Access VPN?

For info the this is a distributed install running R81.10 Take 66 and EndPoint Security VPN E86.60.

Ref: Remote Access Clients for Windows 24/10/2022 Page 61.

Regards,

Glen.

0 Kudos
4 Replies
_Val_
Admin
Admin
‎2023-01-16 05:08 AM

Most probably, this is related to the re-authentication timeouts and password caching. Please look into the RAS Admin Guide, "Remote Access Advanced Configuration" chapter. 

0 Kudos
_Val_
Admin
Admin
‎2023-01-16 05:16 AM

Sorry, I misread your post. You are using a personal certificate, which is only checked vs AD after the CRL cache expires. The default time for the CRL cache is 60 min, which is consistent with your symptoms. Policy push is flashing the CRL cache. All described is an expected behavior related to the authentication scheme in use. 

There are a few alternatives:

1. Using AD username/password authentication
2. Reducing CRL cache timeout.
3. Pushing the policy. 

Bodhi
Explorer
‎2023-01-16 07:33 AM
In response to _Val_

Hi Val,

I know from testing that when an AD account is disabled the Personal Certificate in the AD Certificate Authority is still valid and not revoked. I'm unsure from the AD/CA perspective how a seemingly (Valid) Personal Certificate is then added to the CRL list which in turn is then updated and cached on the gateway.

I’ve checked and the CRL in our customers environment is configured to fetch a new CRL after 24 hours. I'll try reducing the CRL cache to 30 minutes to see if the behaviour changes.

Thanks for the info.

Glen.

0 Kudos
_Val_
Admin
Admin
‎2023-01-16 08:55 AM
In response to Bodhi

Uh right, it could be 24 hours. As I said before, if your customer is expecting the users to be cut immediately after account suspension, a personal certificate is not a good option. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events