CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have 72 attendees signed up from 20 countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3, 9/7.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Internal Security > Endpoint Security (Formerly Integrity)
Reload this Page Integrity with 802.1x
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2008-01-23
mkeca mkeca is offline
Junior Member
  
Join Date: 2008-01-23
Posts: 1
Rep Power: 0
mkeca has an average reputation (10+)
Default Integrity with 802.1x
Hello!

I'm trying to implement 802.1x with CP Integrity.
For 802.1x I'm using Cisco switches with Cisco ACS. Users are
authenticated from Windows Active Directory. Supplicant is built-in
Windows XP supplicant with PEAP and Machine authentication.
To fix a bug in PEAP supplicant, I had to manually set two registry entries:
HKLM\Software\Microsoft\EAPOL\Parameters\General\G lobal\AuthMode to 1
HKLM\Software\Microsoft\EAPOL\Parameters\General\G lobal\SupplicantMode to 3
When user is authenticated he is dynamically put in appropriate VLAN.
This setup works like a charm without CP Integrity agent.

CP Integrity agent is configured for user by AD Groups membership. When
I install Integrity agent I have some issues with user policies
depending on VLAN assigment. If the user is put in same VLAN in which is
put computer after machine authentication everything works fine. If the
user is put in different VLAN user policies are not downloaded correctly
and in the log I can find next errors:
ACCESS,2008/01/23,16:43:32 +1:00 GMT,Generic Host Process for Win32
Services was blocked from accepting a connection from the local zone
(10.10.0.51:DNS).,N/A,N/A

Address 10.10.0.51 is DC. With DNS and DHCP services.

My doubts are:
Can CP Integrity work well with dynamic VLAN assigment and what should
be done to make that work?
Integrity changes registry entry:
HKLM\Software\Microsoft\EAPOL\Parameters\General\G lobal\SupplicantMode to 2
That I have to reset manually to 3. Is it a problem if that value is 3 instead of 2 which is installation default?

Tnx!

Marko
Last edited by mkeca; 2008-01-23 at 23:53. Reason: corrections
Reply With Quote
  #2 (permalink)  
Old 2008-01-27
chillyjim chillyjim is offline
Senior Member
  
Join Date: 2005-08-29
Location: Upstate NY
Posts: 1,637
Rep Power: 5
chillyjim has an average reputation (10+)
Send a message via AIM to chillyjim Send a message via Skype™ to chillyjim
Default Re: Integrity with 802.1x
Most AD based policies assignment problems come from having more than one AD server (a good thing) and not having the Integrity server configured correctly.

I don't remember how to deal with this part but maybe Robert or csig will pipe up on it.
Reply With Quote
  #3 (permalink)  
Old 2008-02-09
CSING CSING is offline
Member
  
Join Date: 2007-06-22
Posts: 94
Rep Power: 2
CSING has an average reputation (10+)
Default Re: Integrity with 802.1x
Greetings,
A couple of things I would try. Place the AD and Integrity server in the users host file and see if the correct policy downloads. Also on the catalog make sure add user and proxy are checked.

When the proxy is checked for a user catalog then the endpoint will display a username & password prompt 3 times before giving the entities default policy.

This may help troubleshoot.

HTH
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 07:50.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0