LDAP authentication

[crono_79]

i dont know if this can be done, but..

we have a NGX R60, and smartdirectory, we are using a windows server 2003 as a domain controller

- i can query the Ldap groups ok
- i created a rule that says:
source: ldap_group@any
dest:any
VPN: any
service: any
action:client auth
in client auth properties:
-requiered sign on: standard
-Sign on Method: Fully automatic (ive tried partially auto and manual also)


with this rule, when anyone tries to open a webpage, IE asks for a domain username/password, after typing a valid credentials, the user will be able to surf the net or use any other internet service (i.e. msn messenger)

this is ok, this i what i wanted to accomplish, but now i want to make checkpoint to not ask for a password, just use the credentials from the currently logged on user

is this possible? what do i have to do?

is there any more info that you need to help me with this?

thanks everyone


BTW, im sorry for any grammar or spelling mistakes, english is not my native lenguage, im trying my best :)

[MarioL]

There are few things you probably should consider first:
- The username/password are being sent in clear text, not ideal
- Your rule might be too permissive, since it allows any traffic to any destination. It's good practice to limit the destination and/or services (otherwise an infected/compromised/rogue can do a lot of stuff

In your case I'd consider:
- Getting an ISA, use it to proxy all access out and authenticate users (since this uses hashes rather than clear text which is much safer
- Using Client Auth with SSL (user must authenticate specifically)
- Using Session Auth, since it can use encryption (I don't like it that much tbh)

The only real enterprise solution to do the SSO that you mention with Check Point is Meta IP, which isn't that popular and is also expensive/requires changing quite a few things. I think this isn't even Check Point anymore, not sure.

[chillyjim]

Quote:

Originally Posted by MarioL

The only real enterprise solution to do the SSO that you mention with Check Point is Meta IP, which isn't that popular and is also expensive/requires changing quite a few things. I think this isn't even Check Point anymore, not sure.

You are correct. Check Point spun off Meta a few years ago.

As for ISA, I know this works well for HTTP/HTTPS and FTP, but how well does it work for non-standard protocols like say SKYPE?

[MarioL]

Well yeah, ISA is a bit limited, but then again what do the users really need for work purposes? That is the big question... tbh most users have a lot more than they need.

So I guess my answer should have been: Depending on what traffic you need to control, ISA might be a good option... or not ;)

[chillyjim]

Hrmm... I'd love to find a good solution for this. The whole MetaIP thing only kinda worked when I tried it many many years ago.

[giulitn]

Hi,
how do you query the LDAP group?
I have CP NGX R60 and AD windows 2003.

I would like to do SS0 from outside of my network; acually I'm using RADIUS authentication and it works but in this case I have to replicate the user from AD into CP database; I would like to use user from the AD database.


Thanks.

[MarioL]

For SSO you should consider using 2 factor (strong) authentication, rather than just AD. More so when you use SSO and "from outside the network" in the same sentence.

Rambling on, you should also make sure that FW-1 and AD are using 636 to communicate (and not 389 like many ppl use) so that it's encrypted. Never did this on 2003 nor with the latest FW-1 versions, so I can't help there.

[chillyjim]

Take a look at http://cpug.org/check_point_resource...0FW-1%20NG.zip

[giulitn]

Hi,
I did it and now I can retrieve user from the AD database; however wheb I triy to install policies it answers me
error: no sufficient licenses for account management

I yhink the problem is in the Smart directory; shoul I use another license I suppose.

Thanks.

[MarioL]

That error means exactly that, your SmartCenter isn't licensed for "Account Management" which is the LDAP bit.

[chillyjim]

Account Management/SmartDirectory is the same license, it is included with SmartCenter Pro/Power and is an add-on for Express/UTM. The SKU is CPUTM-SMDR and it's $5k US.