This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pedro_Boavida
Contributor
Contributor
‎2020-04-01 09:14 AM

Remote Access improvements

Hello CheckMates members,

 

In the past weeks, due to this new remote work requirements, I have been doing otimizations and fine tunning in many VPN gateways, this time with much more demanding scenarios.

 

While performing such configurations, I've noticed some questions / constraints:

 

  • How to specify that a given group (ex: LDAP group) is tied to a specific authentication method ? If we are talking about the same domain (LDAP Account Unit) there seem to be no means for that.

 

  • For the case where several gateways are managed by the same management (most of the cases) it should be possible to have more than one Remote Access community, for several reasons.... 

 

  • Mobile Access (Unified vs Legacy)

Previously on Legacy Mobile Access, only users posing on at least one MAB Access rule were allowed to authenticate to the portal. Now, with Unified Mobile Access, users must belong to remote access community in order to authenticate properly.

This brings a limitiation where I can no longer differentiate who can authenticate on the Mobile Acess Portal from who can authenticate using remote access clients. I have to rely on access rules to permit or forbid access to resources, but in what concerns authentication process it didn't improved from legacy to unified...

I think this constraints are affecting many people and therefore it should be improved, don't you think ?

Regards

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2020-04-02 05:13 PM

Can you provide a concrete example of the different LDAP Groups requiring different authentication methods?

Right now, there is only one Remote Access community per management domain.
I can see where that might be useful but you can achieve the same effective result with appropriate Access Rules.

As for issue with Unified versus Legacy, I suspect there is more work to do in terms of simplifying this.
0 Kudos
Pedro_Boavida
Contributor
Contributor
‎2020-04-03 01:53 AM
In response to PhoneBoy

Hi Dameon,

 

Of course, an easy example is to have a given set of users (regular users) who belong to a specific ad group (say group A) and another set of users (power users) belonging to another specific group (say group B), both within the same Active Directory.

Now, the goal is to assign to group A (regular users) a specific method for authentication (eg: username and password) and to group B (power users) another specific method (eg: Two Factor - username and password + DynamicID).

So if one want to make a more strong /secure authentication for group B (power users) BUT simultaneously want to provide simple method for group A (regular users), this will subvert such principle because power users can also access with username and password....

Now imagine that you want to have several authentication methods and several users profiles (groups), tied to their respective methods. How would you solve this ?

 

Regards,

 

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-03 05:56 PM
In response to Pedro_Boavida

I believe a lot of what you want is right here in the gateway object:

Screen Shot 2020-04-03 at 5.52.45 PM.png

In short you can:

  1. Define multiple authentication schemes.
  2. Tie each one to specific LDAP groups. 

Screen Shot 2020-04-03 at 5.50.18 PM.png

I will admit, I don't know if this will work exactly the way you want it, but this seems the most promising.
I'll check with R&D.

0 Kudos
Norbert_Bohusch
Advisor
‎2020-04-05 11:50 PM
In response to PhoneBoy

For that you need two different directories. It can't be tied to individual groups in the same directory.
Pedro_Boavida
Contributor
Contributor
‎2020-04-06 02:54 AM
In response to PhoneBoy

Dameon,

Thanks for your answer but like I described earlier the challenge is between LDAP_Groups within the same directory - wich is the most common scenario.

 

Regards,

0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-06 01:07 PM
In response to Pedro_Boavida

It seems to me you can choose different LDAP groups within the same directory for the different authentication methods (at least as I understand this dialog).
What happens when you do that?
0 Kudos
Pedro_Boavida
Contributor
Contributor
‎2020-04-06 01:22 PM
In response to PhoneBoy

Hi,

 

Unfortunately you cannot. You can only choose a specific directory or a set of directories but not an LDAP_Group.

Also, you cannot have two LDAP Account units for the same domain (with different search bases).

 

I think it's a "dead end".... thats why I was suggesting an improvement.

 

Regards,

0 Kudos
Gaurav_Pandya
MVP
MVP
‎2020-05-16 09:37 AM
In response to Pedro_Boavida

Yeah. I agree with Pedro. 

I am facing same issue. We want to use 2 different authentication for different user group but it is not possible as we have only one LDAP account unit.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events