This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nagaraja
Explorer
‎2021-03-17 09:54 AM

Certificate Authentication for Remote Access VPN user

Hi Team,

We have configured personal certificate as First factor and Radius as second factor authentication.

In personal certificate authentication, the firewall will check for the DN(correct me if I am wrong),can we make it to check only CN instead of DN.

Second query is that the user is having multiple certificates, so in that case how Check Point will match the exact certificate  if there are two VPN certificate with two different templates? 

0 Kudos
14 Replies
the_rock
Legend
Legend
‎2021-03-17 02:57 PM

I believe it only checks DN. Your 2nd inquiry, are you referring to just a specific user cert here?

Andy

0 Kudos
Nagaraja
Explorer
‎2021-03-18 04:40 AM
In response to the_rock

Yes, it is user certificate

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-17 03:06 PM

As far as I know, what we check in the cert is hard coded and can't be changed.
For the second question, it depends on what kind of a certificate we're talking about.

  • For a user-specific certificate, I believe the user chooses what certificate to offer.
  • For a machine certificate, we use the most recent one, I believe (and that's hardcoded).
0 Kudos
Nagaraja
Explorer
‎2021-03-18 04:44 AM
In response to PhoneBoy

Hi Phoneboy,

 

Thanks for the information.

Is there any supporting document which says that we can't change the configuration to check CN instead of DN.

Any article which says that it will use the latest certificate if it is machine certificate.

We are using user based certificate

 

0 Kudos
Nagaraja
Explorer
‎2021-03-18 07:09 AM
In response to PhoneBoy

Hi Phoneboy,

We are using user based certificate and there are multiple certificates(eg. includes expired cert aslo) in user machine.

Why Check Point is not able to pick the valid certificate ? User is not aware of the valid/expired certificates.

0 Kudos
Nagaraja
Explorer
‎2021-03-25 03:32 AM
In response to PhoneBoy

Hi Phoneboy,

  • For a user-specific certificate, I believe the user chooses what certificate to offer - Can We configure this on gateway end to select the certificate automatically instead of user selecting the certificate manually.
0 Kudos
Norbert_Bohusch
Advisor
‎2021-03-25 03:59 AM
In response to PhoneBoy

You can change what is taken from the certificate for matching it against the user base (LDAP or local).

Before R80.x it was a bit of a pain to configure through GuiDBedit, but since R80.10 you can select it when configuration Multiple Login Options:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-...

See chapter:  Certificate Parsing

 

Besides the "Fetch username from" setting as described, you will have to match the "search LDAP for", so it can find it.

So you can even go for CN, SAN.email, SAN.UPN, etc...

 

Btw. I configured this on R77.10 already but not that comfortable 😉

0 Kudos
Nagaraja
Explorer
‎2021-03-29 02:30 AM
In response to Norbert_Bohusch

Hi Norbert,

 

There is no option to configure only CN validation check.

We can configure DN.CN,it seems like this is 'AND' operation not 'OR' operation.

Attaching the screenshot for your reference.

Preview file
234 KB
0 Kudos
Norbert_Bohusch
Advisor
‎2021-03-30 03:03 AM
In response to Nagaraja

DN.CN means the CN part of the DN.

A certificate has always CN as part of DN... So exactly what you asked.

 

I don‘t understand the and/or part of your answer?!

0 Kudos
Nagaraja
Explorer
‎2021-03-30 04:12 AM
In response to Norbert_Bohusch

Hi Norbert,

 

We don't want to validate DN.

We need to validate only CN.

Is that possible ?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-30 03:44 PM
In response to Nagaraja

You can try Custom Fields, otherwise I assume this would be an RFE.

0 Kudos
Norbert_Bohusch
Advisor
‎2021-03-30 10:55 PM
In response to Nagaraja

I don't understand this question?

Can you post a sample Subject or SAN and tell me which part of it you want to use for finding the user in LDAP?

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2023-03-12 02:08 PM
In response to PhoneBoy

Hello Phoneboy,

I have a  question about user authentication when user/pass + user certificate is configured: did the user need to select the certificate every time he connects to vpn or the vpn client automatically recognize the certs from repository?

Thanks a lot

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-13 09:24 AM
In response to CheckPointerXL

I believe the first time you need to specify the certificate.
After that, the certificate should be reused.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events