Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Norbert_Bohusch
Advisor

Identity Agent - Kerberos Auth only for Machine

I have the following requirement:

  • Client running Identity agent full with Packet tagging
  • Authentication of user by Radius with MFA
  • Acquiring Machine Identity

 

If I'm not mistaken machine authentication with Identity agent is only working with Kerberos.

But if Kerberos is active, also the user is authenticated using Kerberos und with that we are not using MFA to authenticate the user, as the Radius is skipped.

 

Any chance we get the machine identity using Kerberos and don't allow user logon with Kerberos to force Radius auth?

 

5 Replies
Benedikt_Weissl
Advisor

Are you refering to VPN authentication? Or do you want the user to authenticate to the gateway via MFA after logging into the OS?

The Identity Agent is designed as an SSO solution afaik, so i'd suggest you require the user to use MFA to login to the OS and then trust the credentials "transitively".

Norbert_Bohusch
Advisor

It has nothing to do with VPN.

I know that the identity agent can be used for SSO with Kerberos. But without it you can use any authentication but then the machine identity is not recognized.

Hence my question if it is possible to use only SSO with kerberos for machine identity but authenticate the user otherwise...

0 Kudos
the_rock
Mentor
Mentor

Thats interesting inquiry. Im not aware if you can configure that on basic settings via gateway auth methods, you may wish to contact TAC to confirm this 100%.

PhoneBoy
Admin
Admin

Seems like you might be able to change the default behavior here using the PDP Conciliation feature in R80.40+.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Currently requires a TAC case for the precise configuration.
Also paging @Royi_Priov in case he has a better idea.

0 Kudos
Norbert_Bohusch
Advisor

PDP conciliation helps in distinguishing between different sources but in this case. It's only the agent. So I assume it will not help.

 

0 Kudos