Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Leader
Leader
Jump to solution

Captive portal for linux SSH or Terminal windows

Hi there,

Is anyone aware if any mechanism exists to leverage Identity awareness when I would like to pass through Firewall with captive Portal enabled while using SSH or Linux with no GUI Terminal?

With browser Yes it's pretty much possible; but what if the GUI is not available?

 

Thanks and Regards,

Blason R

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

Captive Portal is made for Browser Based Auth only - you could do a RFE here: Products and Feature Suggestions

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
13 Replies
G_W_Albrecht
Legend Legend
Legend

Captive Portal is made for Browser Based Auth only - you could do a RFE here: Products and Feature Suggestions

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Blason_R
Leader
Leader

Okies and thanks for the reply.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Bogdan_Tatomir1
Contributor

Going back to "Captive Portal is made for Browser Based Auth only".

While this is perfectly true, browser communication in the end is just HTTP GET and HTTP POST requests.

If we would to capture a HTTP session between a, let's say Windows supported browser, and the IDA portal auth, with Fiddler or similar, and then extract and replicate the HTTP post of the authentication itself, and then script that into the linux cli box ?

Would this work ?

Afaik, Captive portal does not require any ongoing resources (keep-alive window open / cookies validation /etc) and once the IP and username have been linked on the FW side, it remains so until the configured session timeout.

0 Kudos
PhoneBoy
Admin
Admin
Identity Awareness has an API.
Perhaps you can script up something that gives your Linux machine an identity?
0 Kudos
Blason_R
Leader
Leader

Thanks buddy!!

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Wolfgang
Authority
Authority

In the older times there was a possibility to telnet to port 259 on the gateway. This worked via a rule with "Client Auth" as action...

Client_Authentication.PNG

This very old document gives a good description of how to configure

http://downloads.checkpoint.com/dc/download.htm?ID=12297

But with "Client Auth" there are some limitations shown in sk115961

We had customers using this with R77.30, but never tried on R80.xx

0 Kudos
G_W_Albrecht
Legend Legend
Legend

You can find another answer in sk115242: The Linux user can use the supported SNX build for Linux CLI implementation from sk90240 (Build 800007075) instead of the Captive Portal ! See also SSL Network Extender E75 CLI Support for Mobile Access Blade Release Notes.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
Client Auth has been deprecated. That said, there are a few use cases where Client Auth still makes sense (like this one).
0 Kudos
Blason_R
Leader
Leader

Well, the use case here is; since we have a customer whose servers are placed in DMZ and then users can access the DMZ servers and then since those are servers have outbound https access opens they do SSL Tunneling to certain sites and access it. I understand we can harden it on SSH bu disabling SSH Port forwarding but I see cases where the user has setup Squid proxy on a server and since the server has ANY Access to http/https they are able to access the internet through it.

Hence even if they take SSH of the server wondering if Captive portal could have been a better option for accessing the Internet?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin
SSH can also be a SOCKS proxy as well, so there's another potential hole to close.
0 Kudos
Ken_Dickey
Explorer

RDP sessions to jump hosts in SCADA environments is another use case.  I used to configure Client Auth with RSA MFA just for that purpose.  Is this no loner possible in R80?

0 Kudos
Daniel_Taney
Advisor

Client Auth still exists in R80.x but if memory serves, it can cause weird issues with your policy if you are using layers. We still have Client Auth rules in a couple of policies and I seem to remember testing things on a lab GW and being given some error when I tried to mix layers and Client Auth rules. 

So, while the feature is still there, it may interfere with your ability to make use of newer Check Point features. 

R80 CCSA / CCSE
0 Kudos
PhoneBoy
Admin
Admin
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events