Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sergo89
Collaborator
Jump to solution

Identity Awareness and UPN suffix

Hi Guys

I have a problem, CP Identity Awareness doesnt want to recognize users, who logged in UPN credentials. For example, XYZ.local is a standard AD Domain, but also it has UPN suffix XYZ.com for communication with O365 etc. For windows login (and WLC with Radius) doesnt matter, it can be just username, or username@XYZ.local or username@XYZ.com. CheckPoint understand only username and  username@XYZ.local

I talked to CP support, they advised to create additional LDAP account unit (XYZ.com), but it doesnt's work, still same issues with name recognizing, and also Remote Access VPN stops (lose access to original domain XYZ.local)

do you have any ideas how to fix it?

thanks

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee

Thanks @Royi_Priov 

For completeness do we have any other options to manipulate the RADIUS data (realm matching) if it can't be done upstream?

Cheers,

Chris

 

CCSM R77/R80/ELITE

View solution in original post

10 Replies
Sergo89
Collaborator
Short comment, username@XYZ.local also doesnt work, only clean username.....
0 Kudos
PhoneBoy
Admin
Admin

Not sure, @Royi_Priov ?

0 Kudos
Royi_Priov
Employee
Employee

Which identity sources are used?

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Sergo89
Collaborator
Hi Royi
Active Directory Query (LDAP), and RADIUS accounting turned on... WLC sends info to checkpoint, and i can recognize wireless users in CP logs
thanks
0 Kudos
Chris_Atkinson
Employee Employee
Employee

Some manipulation on the RADIUS side might help e.g.

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-crp-realm-names

CCSM R77/R80/ELITE
Sergo89
Collaborator
Thanks Chris, i think you right, need to try to cut suffix there.
0 Kudos
Royi_Priov
Employee
Employee
I would also suggest using "alias feature" in Identity Collector (which can replace AD Query).
This feature allows to replace one domain with another - read more about it on our admin guide.

As for Identity Collector vs. AD Query differences - see sk108235.
Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Chris_Atkinson
Employee Employee
Employee

Thanks @Royi_Priov 

For completeness do we have any other options to manipulate the RADIUS data (realm matching) if it can't be done upstream?

Cheers,

Chris

 

CCSM R77/R80/ELITE
Sergo89
Collaborator
Thanks Royi, i will try. Just some questions, IA and Remote Access VPN use different ways for authorization? If i turn off AD Query in IA, VPN should continue works?
0 Kudos
Sergo89
Collaborator
Thanks guys, i didnt fix my problem, but found another solution.
Royi, i deployed IC, it works, but it not recognize Radius users, dont see them, anyway i kept it.
Chris, your solution works (i played with realm info), but looks like WLC send info to CheckPoint (and own log) before NPS (Radius) server, i can change realm info, but CHeckPoint sees original request with domain info.
I blocked any access to wireless with domain info, just username, or no wifi 🙂
Also opened Cisco's support case, not sure, maybe possible to cut realm info on WLC directly
thanks guys!
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events