This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sukruozdemir
Contributor
‎2021-10-03 11:01 PM

Identity Agent MacOS Big Sur Authentication Failed

Hello

I am using Checkpoint Identity Agent. There is no problem with my settings. When I use a Windows machine, I never get an authentication error, but in MacOS, I occasionally get a succession of authentication errors and then it logs in automatically. In short, while I have no problems with my account on a computer with a windows operating system, macOS sometimes gives a verification error. I'm using the latest version, but I'm starting to think that it's not fully compatible with Big Sur either.

Preview file
54 KB
0 Kudos
9 Replies
Tobias_Moritz
Advisor
‎2021-10-06 01:52 AM

We have a TAC case open with this description, which sounds pretty much like your problem:

Symptoms: User is working with MacOS while connected to corporate network. Identity Agent is connected. Sometimes this works for hours and days without problems. Out of nowhere, there is a "Authentication had failed" popup. Agents umbrella icon turns gray, rotates a while and than turnes magenta again and shows connected state. No user intervention needed (especially no new password entering). If this problem starts on a day, it reoccures multiple times during this day (and all following one if client is not restarted). If users closes the Identity Agent application and restarts it manually, the problem is gone for the rest of the day (and the following ones).

We collected debugs from agent on client and from pdpd on gateway and TAC is now analysing this for three weeks now. Current status: "We are investigating the issue internally and I will update you as soon as possible".

If you want, I can send you our TAC case number in a PM, so you can reference it in your own TAC case.

0 Kudos
sukruozdemir
Contributor
‎2021-10-06 03:39 AM
In response to Tobias_Moritz

Hello
I am having exactly this problem too. I'd be happy to have your TAC code.

0 Kudos
Tobias_Moritz
Advisor
‎2021-10-06 03:55 AM
In response to sukruozdemir

PM sent.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-10-06 09:43 AM
In response to Tobias_Moritz

Interesting...we have customer using same mac OS and identity agent, they never complained to me about this issue. Only thing is TAC helped us configure IA auto discovery, but not sure if that would make a difference here. Im referring to below document and section:

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_IdentityAwareness_AdminGuide...

 

DNS Based Configuration

If you configure the client to "Automatic Discovery" (the default), it looks for a server by issuing a DNS SRV query for the address "CHECKPOINT_NAC_SERVER._tcp" (the DNS suffix is added automatically). You can configure the address in your DNS server.

On the DNS server (Example is Windows 2003. For more information, see official Microsoft documentation):

  1. Go to Start > All Programs > Administrative Tools > DNS.
  2. Go to Forward lookup zones and select the applicable domain.
  3. Go to the _tcp subdomain.
  4. Right-click and select Other new record.
  5. Select Service Location, Create Record.
  6. In the Service field, enter CHECKPOINT_NAC_SERVER.
  7. Set the Port number to 443.
  8. In Host offering this service, enter the address of the Identity Awareness Gateway.
  9. Click OK.

Note - To define an Identity Awareness Load Sharing, make several SRV records with the same priority. To define an Identity Awareness High Availability, make several SRV records with different priorities.

 

Note - If you configure AD based and DNS based configuration, the results are combined according to the specified priority (from the lowest to highest).

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Tobias_Moritz
Advisor
‎2021-10-07 01:03 AM
In response to the_rock

Thanks Andy, but IA autodiscover should be out of the picture here. We use it, it works fine.

From debug logs, it looks like gateway (pdpd) is sometimes sending an empty response to agents NACuserNpassAuth packet.

[12:05:44 12/7/2021]/request (CCC:1876) Reaquest:
(CCCclientRequest
 :RequestHeader (
 :id (4015)
 :session_id (1be1df41e608ffa29c8af1e83ec6693f)
 :type (NACuserNpassAuth)
 :protocol_version (100)
 )
 :RequestData (
 :username (user)
 :password ([REDACTED])
 :realm (default)
 )
)
[12:05:44 12/7/2021]/-[Engine addOperationWithTarget:selector:object:] (Engine.mm:99) called with callback reauthenticate
[12:05:44 12/7/2021]/request (CCC:1923) Response:
(CCCserverResponse
 :ResponseHeader (
  :id (4015)
  :type (NACuserNpassAuth)
  :session_id (1be1df41e608ffa29c8af1e83ec6693f)
  :return_code (600)
 )
 :ResponseData ()
)

This is how the response should look like:

[12:05:44 12/7/2021]/request (CCC:1923) Response:
(CCCserverResponse
 :ResponseHeader (
  :id (4014)
  :type (NACuserNpassAuth)
  :return_code (600)
  :session_id (1be1df41e608ffa29c8af1e83ec6693f)
 )
 :ResponseData (
  :reAuthenticationInterval (28800)
  :nacAccountGroups ("ad_group_REDACTED1;ad_group_REDACTED2;All Users;ad_group_REDACTED3;ad_user_REDACTED_REDACTED")
  :ReturnCode (0)
 )
)

 

0 Kudos
sukruozdemir
Contributor
‎2021-10-10 11:08 PM
In response to the_rock

I don't think it has anything to do with autodiscovery either. It doesn't work even if it's manual.
 
 
20:57:34 10/10/2021]/request (CCC:1876) Reaquest: 
(CCCclientRequest
:RequestHeader (
:id (201)
:session_id (7a738be82c6fe0edb4e90069a0c90e93)
:type (NACuserNpassAuth)
:protocol_version (100)
)
:RequestData (
:username (example)
:password (example)
:realm (default)
)
)
 
[20:57:34 10/10/2021]/-[Engine addOperationWithTarget:selector:object:] (Engine.mm:99) called with callback reauthenticate
[20:57:34 10/10/2021]/request (CCC:1923) Response: 
(CCCserverResponse
:ResponseHeader (
:id (201)
:type (NACuserNpassAuth)
:session_id (7a738be82c6fe0edb4e90069a0c90e93)
:return_code (600)
)
:ResponseData ()
)

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-10-06 09:05 AM

Flagging @Royi_Priov in case he's not already aware

0 Kudos
Tobias_Moritz
Advisor
‎2021-11-24 07:46 AM

Today, TAC provided new version R81.005.0000, which should contain a fix for this bug.

We cannot provide test feedback so far, but I wanted to share availability of fixed version with community.

New version is not published to sk134312 yet due to obvious reasons, so you have to ask TAC for it if you want to test it yourself.

@sukruozdemir : I guess TAC provided you the same fix today. If you got positive (or negative) feedback from tests earlier than I get it, please feel free to share 🙂

0 Kudos
sukruozdemir
Contributor
‎2021-11-24 09:49 PM
In response to Tobias_Moritz

Hello there
They sent me the same version yesterday, I installed it and I'm using it now. I haven't received any errors since I installed the program, but you know that sometimes it doesn't give an error for days. If I have a problem, I will share it with TAC and here. If you have a problem, I would be happy if you let me know.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events