This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Leitner_EA
Participant
‎2023-11-13 06:09 AM

VPN User and Identity Awareness

Hi,

we do have a problem, where access roles are not applied to VPN users. All our company users do have the Identity Agent installed and this seems to be working fine.

But we do also have some external users (contractors etc..) which do have their own equipment and do need a VPN connection for accessing some services. Currently we have the legacy user access for them working. I wanted to switch this to access roles. So i created a access role and added the AD user into it, but it doesn't get recognized. When VPN login is done, i can see an identity awareness entry :

 

2023-11-13 14_36_34-Log Details.png

but it doesn't get matched to the access role:

2023-11-13 14_39_34-Access Role.png

any clue where could be the error?

 

thanks!

 

Georg

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2023-11-13 11:21 AM

Is Remote Access set as one of your Identity Sources in the Gateway object in the Identity Awareness section?

0 Kudos
Leitner_EA
Participant
‎2023-11-13 10:57 PM
In response to PhoneBoy

yes, i have already checked that.

0 Kudos
Leitner_EA
Participant
‎2023-11-14 12:36 AM
In response to Leitner_EA

could it be the problem, that the users are authenticated via RADIUS Server (Entrust Identity) / External User Profile?

in the pepd.elg i can see only this:

[21381 4057782144]@XXXXXXXX[14 Nov  8:06:25] [TRACKER]: #2721205 -> INCOMING -> IDP_ASSOCIATION -> 
Association
ip: XX.XXX.XX.XXX
user: XXXXXXXX@domain
realm: vpn
machine: 
domain: 
client-type: 3
[21381 4057782144]@XXXXXXXXX[14 Nov  8:06:25] [TRACKER]: #2721206 -> OUTGOING -> IDENTITY_UPDATE -> pep (v4): 127.0.0.1pep (v6): , identity: UpdateInformation dump:
Unique ID           : 4faeb2ea
Client type         : 3, (Remote Access)
Time to live        : 86430, 86400
Client ID           : XX.XXX.XX.XXX, 0
Username            : XXXXX@domain
Log Username        : XXXXX@domain

Log UserDistinguishName: 

User domain         : 
User groups         : All Users, VPN-Intranet
Identity Role       :
Client Type Array   : 3

i would have thought, that Identity Awareness would use the Username and then do a lookup via LDAP to fetch the missing userdata, so it can matcht the corresponding Identity Roles. 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-14 04:27 PM
In response to Leitner_EA

If LDAP is set up correctly, this is exactly what should happen.
See if the following helps: https://support.checkpoint.com/results/sk/sk113363 

0 Kudos
Leitner_EA
Participant
‎2023-11-17 12:29 AM
In response to PhoneBoy

i checked with the GUIDBEdit tool, and the do_fetch_ldap was set to false. i have set it to true, saved and then pushed policy again to the gateway. did not help. i think i have to get in contact with support.

0 Kudos
Leitner_EA
Participant
‎2023-12-05 04:28 AM
In response to Leitner_EA

i wanted to update the thread with the solution:

 

we did use the "legacy" authentication via VPN. After creating new VPN Authentication profiles (the LDAP lookup can be specified in them) - Identity Awareness is working - though not cross domain e.g. users from domain A are in groups of domain B. in the access rule is only the group from domain B specified - not working. but this is a problem which do have multiple apps regarding multi domain. directly specifying the users in the Access Roles is working 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events