This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pedro_Espindola
Advisor
‎2017-10-04 08:39 AM

Create a Captive Portal exception rule on SMB

Hey guys! A costumer wanted to configure a way to bypass captive portal authentication for a specific network on a locally managed 1400 appliance. I found sk117593, which suggests using hotspot.

So I disabled User Awareness and enabled hotspot for the networks that require authentication. I then set configure radius to use the Active Directory users. But this way all User Awareness features are lost!

Is there any other way to create an exception?

This feature is crucial, and we can actually lose customers because of this. I hope that development is working on this.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2017-10-05 02:32 PM

The SK was pretty clear this was the "workaround" to do it.

What specific "User Awareness" features did you lose here?

0 Kudos
Pedro_Espindola
Advisor
‎2017-10-06 06:51 AM
In response to PhoneBoy

When disabling User Awareness it is not possible to enforce access to internal servers or to specific applications by user groups.

Also, logs will show the user only when you open them, which compromises visibility. But that's a minor issue.

I found a better workaround. Here is what I did instead:

  1. Enabled User Awareness and disabled hotspot.
  2. Enabled the option "Allow unregistered guests", on "Browser-based authentication" configuration window
  3. Configured a a rule from:guest_network to:internet action:accept
  4. Used AD user groups on every other rule.

Now, guest users on the guest network can click on "I don't have a username and password" and register to use the internet. It can be a fake name.

Users in the internal network will have to authenticate with a valid AD user to do anything.

It is not ideal, but it works.

PhoneBoy
Admin
Admin
‎2017-10-06 09:36 AM
In response to Pedro_Espindola

That definitely sounds like a better option.

0 Kudos
John_Fleming
Advisor
‎2019-11-19 06:45 PM
In response to PhoneBoy

Just ran into this myself. Browser Based User Awareness is indeed pretty lame. Its a shame that this is %100 doable if the smb is controlled by a mgmt server.

0 Kudos
Max_Baumgarten
Contributor
‎2019-11-19 07:38 PM
In response to John_Fleming

I agree.  You should be able to control the User Awareness rules with more granular controls, like identity awareness/legacy client authentication.  Your subnets shouldn't be held hostage and require authentication just because you need specific users to authenticate.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events