This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Norbert_Bohusch
Advisor
‎2021-04-29 11:59 PM

Identity Agent - Kerberos Auth only for Machine

I have the following requirement:

  • Client running Identity agent full with Packet tagging
  • Authentication of user by Radius with MFA
  • Acquiring Machine Identity

 

If I'm not mistaken machine authentication with Identity agent is only working with Kerberos.

But if Kerberos is active, also the user is authenticated using Kerberos und with that we are not using MFA to authenticate the user, as the Radius is skipped.

 

Any chance we get the machine identity using Kerberos and don't allow user logon with Kerberos to force Radius auth?

 

5 Replies
Benedikt_Weissl
Advisor
‎2021-04-30 04:22 AM

Are you refering to VPN authentication? Or do you want the user to authenticate to the gateway via MFA after logging into the OS?

The Identity Agent is designed as an SSO solution afaik, so i'd suggest you require the user to use MFA to login to the OS and then trust the credentials "transitively".

Norbert_Bohusch
Advisor
‎2021-04-30 04:25 AM
In response to Benedikt_Weissl

It has nothing to do with VPN.

I know that the identity agent can be used for SSO with Kerberos. But without it you can use any authentication but then the machine identity is not recognized.

Hence my question if it is possible to use only SSO with kerberos for machine identity but authenticate the user otherwise...

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-04-30 04:53 AM
In response to Norbert_Bohusch

Thats interesting inquiry. Im not aware if you can configure that on basic settings via gateway auth methods, you may wish to contact TAC to confirm this 100%.

Best,
Andy
PhoneBoy
Admin
Admin
‎2021-05-02 07:21 PM

Seems like you might be able to change the default behavior here using the PDP Conciliation feature in R80.40+.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Currently requires a TAC case for the precise configuration.
Also paging @Royi_Priov in case he has a better idea.

0 Kudos
Norbert_Bohusch
Advisor
‎2021-05-02 11:32 PM
In response to PhoneBoy

PDP conciliation helps in distinguishing between different sources but in this case. It's only the agent. So I assume it will not help.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events