This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
C_H
Explorer
Explorer
Monday

Replacement for Client Authentication

Hello CheckMates Community,

I am having problems finding a replacement for Client Authentication:

One of my customers uses the Client Authentication feature to give privileged IT users the option of not having to use the proxy, but instead to connect directly from a client to the Internet via the firewall in order to be able to quickly resolve connection problems that occur when connecting via the proxy.

As a replacement, I have come up with the following approach:
The “normal” Active Directory identity is reported to the PDPs via Identity Agent for a User Endpoint Computer, Identity Agent for a Terminal Server (MUH) or Remote Access VPN client.
The Captive Portal / Browser Based Authentication serves as a replacement for the Legacy Client Authentication and the privileged IT employees should be able to activate/enable the connection without proxy via “additional rules” here.
In addition to identity-based rules that guarantee “normal” access via the Web Proxy, there would be additional rules with access roles that contain Check Point user groups in which internal Check Point users of the privileged IT employees are located.

I am encountering the following problems:

1. If an identity comes from the identity agent/MUH/Remote Access and from the browser-based authentication, both identity sessions are of the per-host type. These overwrite each other and cannot be known to the PDP at the same time. This destroys my idea of extending the already known identity of the client with the other new identity from the Browser Based Authentication Identity Source to enable access without a proxy. A change from override to append is not possible for per-host according to support ticket.

2. Flapping of identities when logging on to a client already connected to Identity Agent for a User Endpoint Computer via Captive Portal / Browser Based Authentication. Possible Solution: Adjustment of the ScorePerIdenitiySource parameter in the PDP Identity Conciliation Configuration File so that the Captive Portal / Browser Based Authentication has the higher score than the Identity Agent for a User Endpoint Computer

3. No feedback in the Identity Agent when privileged IT employees log in/out via Captive Portal / Browser Based Authentication. No solution yet, possibly catchable via timer values

4. As soon as a user opens the Captive Portal / Browser Based Authentication in the browser on a client already connected to Identity Agent for a User Endpoint Computer, he falls into the Unauthenticated Guests group and therefore no more rules apply to him. No solution yet.

 

It looks to me as if the use case of the previous client authentication cannot be depicted/identity awareness is not made for it.

Does anyone have any tips for me on how I could replace the client authentication feature?

 

Best Regards

Colin

Labels
0 Kudos
1 Reply
PhoneBoy
Admin
Admin
Monday

You can run MUHv2 on a regular Windows 10/11 machine (not a terminal server) and have both users logged into separate Windows sessions on the same system...and get different privileges.
However, I can see the use case for Client Auth in this case.

@Liel_Shaish possible RFE here.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events