- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi experts,
Suppose that I select AD Query and Browser-Based Authentication as my methods acquiring identity on my network. And I create a rule like this:
To my knowledge, this is what happens in the following situations:
1 - When I user which belongs to the Marketing group (supposing the Marketing Access Role is mapped to the Marketing AD group) logs in and open https://youtube.com, this user can access with no problem.
2 - If a guest user try to access https://youtube.com, it will be redirected to the captive portal to authenticate.
3 - When I user which belongs to the Operations group logs in and open https://youtube.com, this user will be redirected to the captive portal to authenticate.
Am I correct?
Regards,
Julián
See sk121074: Identity Awareness Redirect to Captive Portal in R80.10 and above
I believe thats actually correct...think about it this way. When you have captive portal enabled, if any given user can NOT be even passively authenticated, they would be redirected to captive portal page to log in.
So, based on rule you had given as an example, anyone in the source access role would get authentication prompt when trying to access any of those applications. As far as guest access, I cant recall now, but I believe thats enabled by default. Maybe @PhoneBoy can confirm for you 100% the behaviour based on screenshot and the questions.
What @G_W_Albrecht gave you is helpful, but you can also refer to below, it gives solid explanation:
Andy
Hi Andy,
When you say “anyone in the source access role would get authentication prompt when trying to access any of those applications”, do you mean users in the Marketing AD group as well? Because as long as the gateways are integrated with the AD server, these users should be authenticated passively without authentication prompt, am I right?
By the other hand, the users who get the captive portal page and type the username and password, against which database are authenticated? Where are these usernames and passwords stored?
Regards,
Julian
Thats my understanding, I was referring to source marketing access role. Technically, since access roles are tied with IA and thats tied to AD, credentials would be "coming" from AD side.
Andy
And for this part?
By the other hand, the users who get the captive portal page and type the username and password, against which database are authenticated? Where are these usernames and passwords stored?
For example, for users outside the company which are not in AD, where are their credentials stored?
Regards,
Julian
Thats a good point...not sure about guests, I will let someone else confirm that. I see there is an option for unregistered guests login under portal settings, so I assume they would need to fill out registration before being granted access. You know, sort of like what you have to do at certain restaurants, hotels, etc...I believe thats how it works, but its more my educated guess, have not tested it yet.
Andy
Yeah, it works like that. In the following link there are two cases very well explained:
1 - AD user with BYOD.
2 - Guest user.
Take a look!
Thats super helpful, ty!!
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY