Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
flachance
Advisor

Machine cert authentication and local computer certificate store

Hi,

 

We’re trying to test Remote VPN access with machine cert authentication. It is not clear to me which authentication to select on the client when creating the site.

I selected Certificate – CAPI but when trying to connect it offers a choice of certificate it finds in the Current user\Personal\Certificates

We’ve setup automatic cert enrollment for our machines but it puts the certificate in the Local computer\Personal\Certificate

I feel like I’m missing something here. How do you get the CheckPoint client to look for a certificate in the Local computer certificate store?

 

Thanks

Francis

0 Kudos
12 Replies
PhoneBoy
Admin
Admin

What version of client?
What version/JHF of gateway?
I'm assuming you've followed all the instructions here: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... 

0 Kudos
flachance
Advisor

client is 87.50. Gateway is 81.20 JHF take 53. Yes we've followed the guide and the relevant part of the client guide.

I think we might not be understanding the authentication part correctly. Can you establish VPN with only the machine cert to authenticate or do you also require user authentication?

0 Kudos
the_rock
Legend
Legend

I believe it is possible with just machine cert, but not 100% certain, you may want to confirm with TAC.

0 Kudos
emmap
Employee
Employee

You can, the instructions are in the link that Phoneboy has there and then the Remote Access Guide that is linked from there.

https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

flachance
Advisor

I did use the instructions on these two links.

Something is missing or we’re missing something

 

From https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

 

The machine must be defined on a Microsoft AD server – Check

The Subject field of a machine certificate must not be empty – Check

The hostname must be the first value – Check

Machine-only authenticated tunnels require the Security Gateway authentication method to be “Defined on user record (Legacy authentication)” – Check

Adding the root CA on the LDAP Server to the Trusted CA in Management – Check

Creating LDAP Account Unit – Check

Setting up the Authentication enforcement as When Available – Check

 

From https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

 

On the client. Trac.defaults has

Enable_machine_auth set to true

Machine_tunnel_site set to the created site name

Machine_tunnel_before_logon set to true

Machine_tunnel_after_logon set to false

 

As noted in the instructions the machine site was created before but there is no indications of the settings to use. We picked Certificate CAPI. When trying to connect, it offers certificates found in the user certificate store but the machine certificate is in the Local computer certificate store.

How do we get the client to use the certificate in the Local Computer certificate store?

the_rock
Legend
Legend

Did you check 2 SKs I mentioned in the link from one of my posts? Not sure if they might be relevant in your case, but if not, then I would open TAC case to see what might be missing.

Best,

Andy

0 Kudos
flachance
Advisor

I did. But I'm not even at the point where I'm actually attempting to connect 😆

0 Kudos
the_rock
Legend
Legend

Ok lol

In that case, I would open TAC ticket and see what gives.

Andy

0 Kudos
PhoneBoy
Admin
Admin

Machine certificates are used only when a user is not logged in (i.e. Windows login screen).
This is mentioned in the documentation I linked previously.

As such, this is operating as expected.

0 Kudos
flachance
Advisor

And I am now even more confused 😆 Or I just can't read properly. This is what I'm seeing in that doc. 

"Machine-only authentication - Authenticate with a machine certificate only. This mode is available before and after the user logs in to Windows"

PhoneBoy
Admin
Admin

Clearly I misread the docs 🙂
However, you may need to adjust some settings here: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...
Specifically setting machine_tunnel_after_logon to true.

Otherwise, you may want to get the TAC involved: https://help.checkpoint.com 

0 Kudos
the_rock
Legend
Legend

Had similar issue recently with a customer and TAC fixed it with below 2 SKs, might be worth checking and to answer your question, you most likely select certificate auth on the client, its one called personal cert I believe

Check out answer I gave in below post.

Andy

 

https://community.checkpoint.com/t5/Security-Gateways/Machine-certificate-auth/m-p/210437

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events