Re: Certificate Authentication for Remote Access V...

Nagaraja · ‎2021-03-17

Hi Team,

We have configured personal certificate as First factor and Radius as second factor authentication.

In personal certificate authentication, the firewall will check for the DN(correct me if I am wrong),can we make it to check only CN instead of DN.

Second query is that the user is having multiple certificates, so in that case how Check Point will match the exact certificate if there are two VPN certificate with two different templates?

the_rock · ‎2021-03-17

I believe it only checks DN. Your 2nd inquiry, are you referring to just a specific user cert here?

Andy

Best,
Andy
"Have a great day and if its not, change it"

Nagaraja · ‎2021-03-18

Yes, it is user certificate

PhoneBoy · ‎2021-03-17

As far as I know, what we check in the cert is hard coded and can't be changed.
For the second question, it depends on what kind of a certificate we're talking about.

For a user-specific certificate, I believe the user chooses what certificate to offer.
For a machine certificate, we use the most recent one, I believe (and that's hardcoded).

Nagaraja · ‎2021-03-18

Hi Phoneboy,

Thanks for the information.

Is there any supporting document which says that we can't change the configuration to check CN instead of DN.

Any article which says that it will use the latest certificate if it is machine certificate.

We are using user based certificate

Nagaraja · ‎2021-03-18

Hi Phoneboy,

We are using user based certificate and there are multiple certificates(eg. includes expired cert aslo) in user machine.

Why Check Point is not able to pick the valid certificate ? User is not aware of the valid/expired certificates.

Nagaraja · ‎2021-03-25

Hi Phoneboy,

For a user-specific certificate, I believe the user chooses what certificate to offer - Can We configure this on gateway end to select the certificate automatically instead of user selecting the certificate manually.

Norbert_Bohusch · ‎2021-03-25

You can change what is taken from the certificate for matching it against the user base (LDAP or local).

Before R80.x it was a bit of a pain to configure through GuiDBedit, but since R80.10 you can select it when configuration Multiple Login Options:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-...

See chapter: Certificate Parsing

Besides the "Fetch username from" setting as described, you will have to match the "search LDAP for", so it can find it.

So you can even go for CN, SAN.email, SAN.UPN, etc...

Btw. I configured this on R77.10 already but not that comfortable 😉

Nagaraja · ‎2021-03-29

Hi Norbert,

There is no option to configure only CN validation check.

We can configure DN.CN,it seems like this is 'AND' operation not 'OR' operation.

Attaching the screenshot for your reference.

Norbert_Bohusch · ‎2021-03-30

DN.CN means the CN part of the DN.

A certificate has always CN as part of DN... So exactly what you asked.

I don‘t understand the and/or part of your answer?!

Nagaraja · ‎2021-03-30

Hi Norbert,

We don't want to validate DN.

We need to validate only CN.

Is that possible ?

PhoneBoy · ‎2021-03-30

You can try Custom Fields, otherwise I assume this would be an RFE.

Norbert_Bohusch · ‎2021-03-30

I don't understand this question?

Can you post a sample Subject or SAN and tell me which part of it you want to use for finding the user in LDAP?

CheckPointerXL · ‎2023-03-12

Hello Phoneboy,

I have a question about user authentication when user/pass + user certificate is configured: did the user need to select the certificate every time he connects to vpn or the vpn client automatically recognize the certs from repository?

Thanks a lot

PhoneBoy · ‎2023-03-13

I believe the first time you need to specify the certificate.
After that, the certificate should be reused.

Are you a member of CheckMates?

Certificate Authentication for Remote Access VPN user