Solved: Re: Machine certificate auth

the_rock · ‎2024-04-04

Hey boys and girls,

I really hope someone can clarify this for me, as Im not really sure what to think or make of it. So, to make a long story short, customer wants to implement cert auth on the gateway (machine cert that is), but we are stuck on one point with TAC and I cant seem to get straight answer if this would work the way we think it would be.

So, lets forget for a moment about the AD/LDAP part and say customer simply wants to test one LOCAL vpn user for this to see if it works. TAC is saying that none of this is supported WITHOUT have IA blade enabled, yet, thats not indicating anywhere in below document, apart from the fact that you need access role, but here, we are not using access roles, so not sure why IA blade would be required.

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T...

I also attempted to replicate it in the lab, but even when configured below on gateway side, does not do much at all.

TAC person even told us they consulted with tech lead as well, but that seems to be the final "verdict", though does not appear to be documented officially. Any idea?

Thanks as always for the help.

Best,

Andy

Snippet from my lab:

Option you dont see actually says "mandatory"

the_rock · ‎2024-04-11

Hey everyone,

Just to update, issue was solved with TAC following sk116997 and sk91844, in case anyone has the same problem.

Best,

Andy

View solution in original post

Lesley · ‎2024-04-04

I have the following in production:

Endpoint VPN clients. They use Local user with certificate.

So no access roles! Rulebase is based on office mode pool.

But I have IA blade enabled and LDAP account unit. So best would for you just to test it.

If I read the docs you send they make the rules based on access roles. For this you need the blade.

You can also try to make a rule based on local user group in source instead of OM pool

-------
If you like this post please give a thumbs up(kudo)! 🙂

the_rock · ‎2024-04-04

Customer is actually trying to make this work with machine certificate.

Andy

emmap · ‎2024-04-04

Machine Auth only works with AD joined machines and AD sourced machine certificates. I think it may work without IA if you manually set up the LDAP account unit etc but it's easier to just enable IA and let the wizard do that for you. Certainly you'd need IA to do any policy enforcement based on machine IDs.

So it may or may not work without IA, but given you're already querying AD to make it work, you might as well use IA.

the_rock · ‎2024-04-04

Thats what my thinking was as well. I dont see why IA blade is required if they only wish to test a local VPN user, as that does not require any access roles, since nothing has to be pulled from AD, therefore enabling IA blade would not do anything in such scenario.

Anywho, TAC esc. guy sent debugs to run, so lets see what comes out of that.

Best,

Andy

Markus_Genser · ‎2024-04-05

Hi,

if I remember correctly you need at least the certificate chain with root and intermediate CA configured on the security management, for the gateway to compare the machine certificates validity. Without that nothing will happen.

IA and AD are only used for the Access roles with the included machines.

Though, keep in mind there are some challenges to keep in mind.

Number 1, if the client has a machine certificate installed that's not issued by the CA (mandatory or not is irrelevant) the client will fail with an ominous error message without a log entry on the management.

The RA client always presents the longest valid certificate (usually the newest) to the security gateway for validation.

Challenge number 2 is, that root and intermediate certificate on the client MUST be in the correct place within the certificate store of the client, otherwise the connection will also fail.

https://support.checkpoint.com/results/sk/sk175111

BR,

Markus

the_rock · ‎2024-04-05

Hey Markus,

Thanks very much for that. Indeed customer does have those configured, but still, for some unknown reason, it keeps failing. I suppose thats why TAC asked for debugs, so we will have to see whats causing this not to work.

When I have an update, will update the thread.

Best,

Andy

the_rock · ‎2024-04-07

Hey guys,

Just to give quick update on this...CP escalations asked customer for migrate export from mgmt and cpinfo from affected gw, as they want to see if they can replicate exact scenario in their lab. I will keep you posted what solution is once everything is working as expected.

Best,

Andy

Albin · ‎2024-04-07

If I recall correctly, the CN basically registers as a user from CP perspective when it logs in using the cert, hence IA would be needed.
What errors are you getting in the logs? Both on client and GW side?

the_rock · ‎2024-04-08

I would have to double check agaib, but Im fairly positive IA would NOT be needed if you are simply testing one local user. You need IA for essentially access roles. Lots of people have misconception you need that blade to be able to see usernames in the logs, which cant be further from the truth.

Best,

Andy

Albin · ‎2024-04-08

OK I agree with that, however what I was talking about was the machine identity. The Machine identity if you have IA enabled actually also gets installed with PDP. I am not sure what the result is if you turn off IA as I don't have a lab environment to test that with. However, it could be IA is a required part for the machine auth itself, not the user.

The logs I was referring to was the Authentication logs. (SmartLog: "Log In" OR "Failed Log In"), what the error is.

You can also do debug on client side to watch if it does select a machine cert and presents it.

the_rock · ‎2024-04-08

K, I see what you mean 🙂

Yes, client got all the debugs and they sent them to TAC. Lets see how this gets solved, because I also tried to reproduce it in the lab, but without success.

Best,

Andy

the_rock · ‎2024-04-09

Last update from TAC, but they are still attempting to replicate exact client's environment.

Andy

*****************************

For machine authentication the PC needs to be a part of an AD domain and the machine certificate's DN needs to be equal to the DN of the PC in AD. Access roles are also needed for the enforcement of machine identities.

If the client is complaining about a missing machine cert, I would start with having a certificate issued by one of the CAs that is trusted by the gateway, for the machine's DN in AD.

*******************************

the_rock · ‎2024-04-11

Hey everyone,

Just to update, issue was solved with TAC following sk116997 and sk91844, in case anyone has the same problem.

Best,

Andy

Are you a member of CheckMates?

Machine certificate auth