Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Leitner_EA
Participant

VPN User and Identity Awareness

Hi,

we do have a problem, where access roles are not applied to VPN users. All our company users do have the Identity Agent installed and this seems to be working fine.

But we do also have some external users (contractors etc..) which do have their own equipment and do need a VPN connection for accessing some services. Currently we have the legacy user access for them working. I wanted to switch this to access roles. So i created a access role and added the AD user into it, but it doesn't get recognized. When VPN login is done, i can see an identity awareness entry :

 

2023-11-13 14_36_34-Log Details.png

but it doesn't get matched to the access role:

2023-11-13 14_39_34-Access Role.png

any clue where could be the error?

 

thanks!

 

Georg

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

Is Remote Access set as one of your Identity Sources in the Gateway object in the Identity Awareness section?

0 Kudos
Leitner_EA
Participant

yes, i have already checked that.

0 Kudos
Leitner_EA
Participant

could it be the problem, that the users are authenticated via RADIUS Server (Entrust Identity) / External User Profile?

in the pepd.elg i can see only this:

[21381 4057782144]@XXXXXXXX[14 Nov  8:06:25] [TRACKER]: #2721205 -> INCOMING -> IDP_ASSOCIATION -> 
Association
ip: XX.XXX.XX.XXX
user: XXXXXXXX@domain
realm: vpn
machine: 
domain: 
client-type: 3
[21381 4057782144]@XXXXXXXXX[14 Nov  8:06:25] [TRACKER]: #2721206 -> OUTGOING -> IDENTITY_UPDATE -> pep (v4): 127.0.0.1pep (v6): , identity: UpdateInformation dump:
Unique ID           : 4faeb2ea
Client type         : 3, (Remote Access)
Time to live        : 86430, 86400
Client ID           : XX.XXX.XX.XXX, 0
Username            : XXXXX@domain
Log Username        : XXXXX@domain

Log UserDistinguishName: 

User domain         : 
User groups         : All Users, VPN-Intranet
Identity Role       :
Client Type Array   : 3

i would have thought, that Identity Awareness would use the Username and then do a lookup via LDAP to fetch the missing userdata, so it can matcht the corresponding Identity Roles. 

0 Kudos
PhoneBoy
Admin
Admin

If LDAP is set up correctly, this is exactly what should happen.
See if the following helps: https://support.checkpoint.com/results/sk/sk113363 

0 Kudos
Leitner_EA
Participant

i checked with the GUIDBEdit tool, and the do_fetch_ldap was set to false. i have set it to true, saved and then pushed policy again to the gateway. did not help. i think i have to get in contact with support.

0 Kudos
Leitner_EA
Participant

i wanted to update the thread with the solution:

 

we did use the "legacy" authentication via VPN. After creating new VPN Authentication profiles (the LDAP lookup can be specified in them) - Identity Awareness is working - though not cross domain e.g. users from domain A are in groups of domain B. in the access rule is only the group from domain B specified - not working. but this is a problem which do have multiple apps regarding multi domain. directly specifying the users in the Access Roles is working 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events