This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jfernandezm
Participant
‎2022-09-30 04:32 PM

VPN Login SAML + local fw login + AD

Hi! We had implemented Checkpoint firewalls with VPN Connections. Recently we implement SAML with AzureAD to secure the VPN Logins without technical issues, its working properly, but we had a issue : If the users change the Login options to user/password, this options works for local logins on Checkpoint and AD.

We need to work only with local fw login and SAML to the users, I understand the AD integration had to be implemented because this is part of the SAML integration, but i don't want to work this to the users to use user+password direct, because this mantains the vulnerability of use this login option.

Another thing I don't mentioned, I can't use ONLY azureAD, because had third part connections than use local login on checkpoint, so I had to mantain this option because had only Azure Users cost much money.

 

Please if you can show me an option to use only SAML to users, and the option User+PASS only works to local login FW, no AD.

Thanks Checkmates!

0 Kudos
7 Replies
_Val_
Admin
Admin
‎2022-10-01 02:16 AM

Is it the case when the same user exists in both on-prem and Azure AD?

0 Kudos
jfernandezm
Participant
‎2022-10-01 04:46 AM
In response to _Val_

Yes Val, because the AD is synced with AzureAD, so the accounts was the same.

0 Kudos
_Val_
Admin
Admin
‎2022-10-08 06:35 AM
In response to _Val_

I think this is the issue then. LDAP is checked before Azure, and since the accounts are there, it returns the authentication. See if you can set up your VPN in a way AD is not queried.

0 Kudos
jfernandezm
Participant
‎2022-10-08 06:38 AM
In response to _Val_

Yes, the implementing company is reviewing the configuration to dispense with the local AD. We check and the FW cfg is at 80.40 take 156

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-01 07:55 AM

Users that are authenticating with AzureAD can get group information from Graph API (R81 and above).
Third party users not in AzureAD would obviously need to get their information from a different source (LDAP).

The LDAP portion of the configuration will need to include only the precise branch that includes ONLY your third party users, not the entire AD tree.
Depending on how many third party users are involved, it might be better to locally define each one. 

0 Kudos
jfernandezm
Participant
‎2022-10-01 10:18 AM
In response to PhoneBoy

Hi!!! The third parties only connect with user+pass from checkpoint local login, no need to acces to LDAP login. In the other side the corporative users is needed to use only AzureAD, no LDAP login, otherwise the implementation of SAML AzureAD is useless.

 

Thanks for your help

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-03 10:29 AM
In response to jfernandezm

Ok, I'm confused.
If you're using Azure AD (which doesn't require LDAP) for your corporate users and locally defined users for your third party users, how are your Azure AD users just authenticating with username/password without going through the SAML dance?

Do you have an LDAP Account Unit defined?
I imagine you might need that for Identity Awareness.
What authentication methods do you have configured as supported on the relevant gateway object?

Screenshots of everything you've attempted to configure related to this would be exceptionally helpful.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events