This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
OlegPowerC
Explorer
12 hours ago

Captive portal transparent SSO authentication and switch user (logout/login)

Hello!

I was configure transparent SSO (browser based authentication) and it work.

I login in my test VM and open browser, try to open blocked URL I get notification with my username (Testuser1).

I logout and login as Testuser2 and do it again and get notification but user is Testuser1.

If i execute pdp control revoke_ip <my vm ip> it work as expected.

What Ican I resilve this issue?

Thank You!

0 Kudos
5 Replies
Tobias_Moritz
Advisor
10 hours ago

As far as I know, this is by design.

Please correct me, if I'm wrong.

When you use Identity Awareness Browser-Based Authentictation with transparent SSO (autoauth), there is no browser tab with captive portal site which will or can stay open for the full user user session, so you cannot use the portal setting "Log out users when they close the portal browser", right?

And without that, the pdp just gets no notification, that user1 logs out of the machine and user2 logs in. PDP still uses that session entry entry for the ip address and does not reinitate authentication flow over captive portal.

If you need to resolve that, you would have to use Identity Agents or Identity Collector. With using Identity Collector, you get an update in pdp side during login of user2. This will logout user1 IA session because of an implicit "assume one user per ip address setting".

When you are concerned that someone malicous could re-use user1s ip address in your network before your configured IA session timer expires, you have to use Identity Agents (with a short agent session timeout), because in doing that, user1 session gets logged out when user1 logs out from the machine (while connected to network) or after the agent session timeout which can be much shorter that the session timeout for Captive Portal or Identity Collector due to Agent keepalive.

0 Kudos
OlegPowerC
Explorer
9 hours ago
In response to Tobias_Moritz

Thank You.

I will use AD Query and agent instead captive portal.

 

0 Kudos
Tobias_Moritz
Advisor
9 hours ago
In response to OlegPowerC

ADQuery is deprecated, I suggest using IdentityCollector instead.

0 Kudos
OlegPowerC
Explorer
7 hours ago
In response to Tobias_Moritz

But it is the same method (both read the event log  in AD)

0 Kudos
PhoneBoy
Admin
Admin
3 hours ago
In response to OlegPowerC

ADQuery actually uses WMI that is pushed from Active Directory versus Identity Collector, which reads the Event logs directly.
In neither case does it read Logout events.
I believe the only way to get an actual log out event is using an Identity Agent.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events