Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ob1lan
Contributor

Remote Access VPN with MacOS : certificate authentication don't work

Hi,

We have a project to add a 2FA in our Remote Access VPN. Currently we have set to authenticate with username & passwords, and we want to add user certificate (issued by internal CA running on Microsoft, integrated with AD).

This is working fine for Microsoft computers with Check Point Endpoint Security VPN client (standalone). We just have a failure after a while (traffic blocked after a random amount of time, with logs like 'can't find user' or 'failed login'). This one is object of an ongoing TAC case. But still, for these, the authentication with certificate is working fine, and the VPN tunnel establishes.

Now we have a lot of users that have MacBooks, also running the CP Endpoint VPN client. The user certificate has been imported in the Key Chains. When we try to authenticate on the VPN client with the certificate, it doesn't work.

An example of log extract, showing failure of MacOS, and success of Windows (same user, same certificate) :

100_LOGS_SHOWING_DIFFERENCE_WIN_VS_MACOS.PNG

 

The detail of the failure log, showing the user is not in the right format, expected here something like it is for Windows clients :

101_Login_Auth_MAB_NOK_MACOS.PNG

 

Here is how the authentication is configured for certificate usage (again, working fine on Windows) :

102_GatewayProps_Authentication_2.PNG

 

Do you know if I have to create another Login Option especially for MacOS ? If so, what settings should I use ? I already tried various combination, none of them worked 😞

Thanks in advance for your help !

Regards,

Antoine

1 Reply
Matt_Ricketts
Employee
Employee

Are you using the latest supported macOS VPN client? I saw E82.50 within your log card details. E84.30 was released within the last 2 weeks that has support for Bug Sur as well as Machine Authentication for the VPN client.

SK170513 - Enterprise Endpoint Security E84.30 macOS Clients - Early Availability