- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Remote Access VPN and Identity Agent
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remote Access VPN and Identity Agent
Hello,
we have migrated our VPN Users to a Firewall which also is the host for Identity Agent using Active Directoy credentials.
In the inner network there is no problem with the Identity Agent. It Authenticates and the Identity Portal is working in the browser.
When you connect with Endpoint Security VPN the VPN Connection using Radius 2Factor authentication the Connections works as espected. But the Identity Agent does not work. If you open the Identity Portal with the browser you get redirected to the SNX Portal.
How can we change this behaviour?
We are using R80.10 Management with R77.30 Gateways.
Thanks,
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure I understand the use case for Identity Agent when your VPN client provides a source of identity the gateways can use.
Is there some use case I'm missing here?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Replying to a very old post, but I am considering Identity Agents in conjunction with VPN RAS (SAML to Azure AD) to get machine identities. I don't think there's any way to get this at present with VPN RAS - even if the Azure AD conditional access policy first looks for a machine certificate, I don't think this is being passed to the gateway (or used?). We would like to be able to use roles with both user and machine identities in conjunction with VPN RAS (to allow use of the same roles on perimeter and back-end gateways).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
for Identity Awareness we are using Active Directory. As we use 2 factor authentication for VPN, the users are not recognized as the AD-Users only as Users of a Radius Group. So the rules made for these Users are not matching.
I do not know how to match these Users.
Also if the user is also an Administrator and needs sometimes access to Systems that are not in his default user rule he has to Identify as another user on the IA Portal. But this would be a rare problem.
Apart from that I don't know how to put an explicit RADIUS User in a Rule without defining the User in the Checkpoint Firewall.
I have made a Service Request. So we will see if there is a better aproach.
Thanks,
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jan,
Did you solve this problem? It is also problem of my customer ....
Best regards,
Tomasz
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
no we didn't solve the problem. We are redesigning our network at the moment. We will have a second firewall in the internal Network, that will run the Identity Portal. So we will not have the problem anymore.
The only option at the moment I see is, to bind the Portal to all Interfaces. But then the interface facing the Internet will also have the Identity Portal. I think this is a security concern, so that I will not do this.
Another option could be to duplicate the Identity Rules and replace the Identity-Users with the VPN-Users.
As we are using the rules only for Administrators at the moment I decided to wait for the redesign.
Best regards,
Jan