CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have sign-ups from twelve different countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 7/14, 8/25, 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Authentication
Reload this Page IAS and certificates. Is it feasible?
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2006-11-22
slimo slimo is offline
Junior Member
  
Join Date: 2006-11-11
Posts: 16
Rep Power: 0
slimo has an average reputation (10+)
Default IAS and certificates. Is it feasible?
Hi,

Would it be possible to set up IAS and Checkpoint so that the vpn users need to provide username/password as well as certificate to be able to authenticate?

Thanks
Reply With Quote
  #2 (permalink)  
Old 2006-11-22
RayPesek RayPesek is offline
Senior Member
  
Join Date: 2006-03-19
Location: Northern Ohio
Posts: 862
Rep Power: 3
RayPesek has an average reputation (10+)
Default Re: IAS and certificates. Is it feasible?
Can you give me an example of what you're trying to accomplish with this requirement?

We use a similar setup with Connectra for computers that do not belong to us, but I don't know how FW-1 would use it.

On Connectra, we use an FW-1 ICA certificate to authenticate the computer/user to the portal to eliminate the problem with guessed user names and passwords. Then we have the end user enter Windows credentials for access to Windows resources. A Server 2003 IAS box works as the RADIUS server.

Ray
Reply With Quote
  #3 (permalink)  
Old 2006-11-22
slimo slimo is offline
Junior Member
  
Join Date: 2006-11-11
Posts: 16
Rep Power: 0
slimo has an average reputation (10+)
Default Re: IAS and certificates. Is it feasible?
I would like to set up two requirements before an user can be authenticated:

1. a user can only use his/her computer to authenticate. Cannot use another computer (ie colleague's computer or home computer). I think this is where we need to use certificate.

AND

2. provide a Windows username and password.

Is this two requirements are possible? If yes, is there then anyone in this forum has a set up like this. We have currently NGX R60 on a Nokia 350

Thanks for your help

Slimo
Reply With Quote
  #4 (permalink)  
Old 2006-11-23
RayPesek RayPesek is offline
Senior Member
  
Join Date: 2006-03-19
Location: Northern Ohio
Posts: 862
Rep Power: 3
RayPesek has an average reputation (10+)
Default Re: IAS and certificates. Is it feasible?
If they can export the certificate or simply copy it, it will be portable between computers.

This code in local.scv will check the name of the domain that the computer is a member of. It can be beat by naming a home computer to the same name as the domain name, though:

: (RegMonitor
:type (plugin)
:parameters (
:string ("SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winl ogon\DefaultDomainName=OURDOMAIN")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Your computer account password is invalid. The Help Desk has been notified.")
:end (admin)
)
)


I don't know of any way to require both a Windows account and certificate to complete a login.

Ray
Last edited by RayPesek; 2006-11-23 at 15:30.
Reply With Quote
  #5 (permalink)  
Old 2006-11-23
RayPesek RayPesek is offline
Senior Member
  
Join Date: 2006-03-19
Location: Northern Ohio
Posts: 862
Rep Power: 3
RayPesek has an average reputation (10+)
Default Re: IAS and certificates. Is it feasible?
I don't know why it's putting a space in \Winlogon\. It's not there when I try to edit it out.

Rai
Reply With Quote
  #6 (permalink)  
Old 2006-11-24
slimo slimo is offline
Junior Member
  
Join Date: 2006-11-11
Posts: 16
Rep Power: 0
slimo has an average reputation (10+)
Default Re: IAS and certificates. Is it feasible?
Thanks. Apparently nobody has this configuration in place.
Today I installed a test environment (AD, Checkpoint, IAS). My next step is to install Windows Enterprise Root CA. Deploy certificates to computers and set a policy in IAS to allow only computers with cerificates and valid user/password.

If people are interested I will let you know the result.

Have a nice weekend

Slimo
Reply With Quote
  #7 (permalink)  
Old 2006-11-24
RayPesek RayPesek is offline
Senior Member
  
Join Date: 2006-03-19
Location: Northern Ohio
Posts: 862
Rep Power: 3
RayPesek has an average reputation (10+)
Default Re: IAS and certificates. Is it feasible?
I'm interested.

Thanks,

Ray
Reply With Quote
  #8 (permalink)  
Old 2007-01-26
ppnair@gmail.com ppnair@gmail.com is offline
Junior Member
  
Join Date: 2007-01-10
Posts: 29
Rep Power: 0
ppnair@gmail.com has an average reputation (10+)
Default Re: IAS and certificates. Is it feasible?
I am intertested too and thinking of this.. What happened NEXT???

Praveen
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 19:42.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0