This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fjulianom
Advisor
‎2022-04-08 03:09 AM

Some doubts about Captive Portal authentication

Hi experts,

 

Suppose that I select AD Query and Browser-Based Authentication as my methods acquiring identity on my network. And I create a rule like this:

rule.PNG

To my knowledge, this is what happens in the following situations:

1 - When I user which belongs to the Marketing group (supposing the Marketing Access Role is mapped to the Marketing AD group) logs in and open https://youtube.com, this user can access with no problem.

2 - If a guest user try to access https://youtube.com, it will be redirected to the captive portal to authenticate.

3 - When I user which belongs to the Operations group logs in and open https://youtube.com, this user will be redirected to the captive portal to authenticate.

 

Am I correct?

 

Regards,

Julián

 
 
 

 

0 Kudos
8 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-04-08 03:38 AM

See sk121074: Identity Awareness Redirect to Captive Portal in R80.10 and above

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2022-04-08 04:53 AM

I believe thats actually correct...think about it this way. When you have captive portal enabled, if any given user can NOT be even passively authenticated, they would be redirected to captive portal page to log in.

So, based on rule you had given as an example, anyone in the source access role would get authentication prompt when trying to access any of those applications. As far as guest access, I cant recall now, but I believe thats enabled by default. Maybe @PhoneBoy can confirm for you 100% the behaviour based on screenshot and the questions.

What @G_W_Albrecht gave you is helpful, but you can also refer to below, it gives solid explanation:

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_IdentityAwareness_AdminGuide...

 

Andy

fjulianom
Advisor
‎2022-04-08 10:19 AM
In response to the_rock

Hi Andy,

 

When you say “anyone in the source access role would get authentication prompt when trying to access any of those applications”, do you mean users in the Marketing AD group as well? Because as long as the gateways are integrated with the AD server, these users should be authenticated passively without authentication prompt, am I right?

By the other hand, the users who get the captive portal page and type the username and password, against which database are authenticated? Where are these usernames and passwords stored?

 

Regards,

Julian

0 Kudos
the_rock
Legend
Legend
‎2022-04-08 10:21 AM
In response to fjulianom

Thats my understanding, I was referring to source marketing access role. Technically, since access roles are tied with IA and thats tied to AD, credentials would be "coming" from AD side.

Andy

fjulianom
Advisor
‎2022-04-08 10:29 AM
In response to the_rock

And for this part?

By the other hand, the users who get the captive portal page and type the username and password, against which database are authenticated? Where are these usernames and passwords stored?

For example, for users outside the company which are not in AD, where are their credentials stored?

 

Regards,

Julian

0 Kudos
the_rock
Legend
Legend
‎2022-04-08 10:35 AM
In response to fjulianom

Thats a good point...not sure about guests, I will let someone else confirm that. I see there is an option for unregistered guests login under portal settings, so I assume they would need to fill out registration before being granted access. You know, sort of like what you have to do at certain restaurants, hotels, etc...I believe thats how it works, but its more my educated guess, have not tested it yet.

Andy

fjulianom
Advisor
‎2022-04-08 03:06 PM
In response to the_rock

Yeah, it works like that. In the following link there are two cases very well explained:

1 - AD user with BYOD.

2 - Guest user.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

Take a look!

the_rock
Legend
Legend
‎2022-04-08 03:19 PM
In response to fjulianom

Thats super helpful, ty!!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events