Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jan_Kleinhans
Advisor

Remote Access VPN and Identity Agent

Hello,

we have migrated our VPN Users to a Firewall which also is the host for Identity Agent using Active Directoy credentials.

In the inner network there is no problem with the Identity Agent. It Authenticates and the Identity Portal is working in the browser.

When you connect with Endpoint Security VPN the VPN Connection using Radius 2Factor authentication the Connections works as espected. But the Identity Agent does not work. If you open the Identity Portal with the browser you get redirected to the SNX Portal.

How can we change this behaviour?

We are using R80.10 Management with R77.30 Gateways.

Thanks,

Jan

5 Replies
PhoneBoy
Admin
Admin

I'm not sure I understand the use case for Identity Agent when your VPN client provides a source of identity the gateways can use.

Is there some use case I'm missing here?

0 Kudos
Paul_Hagyard
Advisor

Replying to a very old post, but I am considering Identity Agents in conjunction with VPN RAS (SAML to Azure AD) to get machine identities. I don't think there's any way to get this at present with VPN RAS - even if the Azure AD conditional access policy first looks for a machine certificate, I don't think this is being passed to the gateway (or used?). We would like to be able to use roles with both user and machine identities in conjunction with VPN RAS (to allow use of the same roles on perimeter and back-end gateways).

0 Kudos
Jan_Kleinhans
Advisor

Hello,

for Identity Awareness we are using Active Directory. As we use 2 factor authentication for VPN, the users are not recognized as the AD-Users only as Users of a Radius Group. So the rules made for these Users are not matching.

I do not know how to match these Users.

Also if the user is also an Administrator and needs sometimes access to Systems that are not in his default user rule he has to Identify as another user on the IA Portal. But this would be a rare problem.

Apart from that I don't know how to put an explicit RADIUS User in a Rule without defining the User in the Checkpoint Firewall.

I have made a Service Request. So we will see if there is a better aproach.

Thanks,

Jan

Goldie
Explorer
Explorer

Jan,

Did you solve this problem? It is also problem of my customer ....

Best regards,

Tomasz

0 Kudos
Jan_Kleinhans
Advisor

Hello,

no we didn't solve the problem. We are redesigning our network at the moment. We will have a second firewall in the internal Network, that will run the Identity Portal. So we will not have the problem anymore.

The only option at the moment I see is, to bind the Portal to all Interfaces. But then the interface facing the Internet will also have the Identity Portal. I think this is a security concern, so that I will not do this.

Another option could be to duplicate the Identity Rules and  replace the Identity-Users with the VPN-Users.

As we are using the rules only for Administrators at the moment I decided to wait for the redesign.

Best regards,

Jan

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events