CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > SecureClient/SecuRemote
Authenticate SecureClient with digital certificates Authenticate SecureClient with digital certificates
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-02-08
Junior Member
  
Join Date: 2006-11-11
Posts: 16
Rep Power: 0
slimo has an average reputation (10+)
Default Authenticate SecureClient with digital certificates
Hello,

Currently our SecureClient users are authenticated with SmartDirectory (username/password). We would like to increase the security and use instead certificates. I do not want to use the ICA but use Windows Certificate Authority. We are running Checkpoint NGX R61 on Nokia box.

Does anyone has a kind of document that explain how to achieve this? Or What settings do I need to change on my Checkpoint FW.

Thanks in advance
Slimo
Reply With Quote
  #2 (permalink)  
Old 2007-02-11
Junior Member
  
Join Date: 2006-11-11
Posts: 16
Rep Power: 0
slimo has an average reputation (10+)
Default Re: Authenticate SecureClient with digital certificates
Hello,

I set up my firewall to authenticate SecureClient with certificates generated by external CA (MS CA). When I try to connect I got the error:
"Could not validate the certificate used by gateway cp001 at site xxx.xxx.xxx.xxx. cannot complete certificate chain CN=...."

Can you help please?

Thanks
Slimo
Reply With Quote
  #3 (permalink)  
Old 2007-02-11
Senior Member
  
Join Date: 2006-03-19
Location: Northern Ohio
Posts: 909
Rep Power: 3
RayPesek has an average reputation (10+)
Default Re: Authenticate SecureClient with digital certificates
Check out

Unable to authenticate users using Microsoft Enterprise CA certificates.
Solution ID: #sk15678

Ray
Reply With Quote
  #4 (permalink)  
Old 2007-02-12
Junior Member
  
Join Date: 2006-11-11
Posts: 16
Rep Power: 0
slimo has an average reputation (10+)
Default Re: Authenticate SecureClient with digital certificates
Thanks for the reply. I already did this because before the error was unknown user. So I am one step further now

Apparently, I need to
1. generate a certificate request in the FW object VPN property sheet
2. send the request to MS CA
3. apply the reply on the FW

Is that correct?

Slimo
Reply With Quote
  #5 (permalink)  
Old 2007-02-12
Senior Member
  
Join Date: 2006-03-19
Location: Northern Ohio
Posts: 909
Rep Power: 3
RayPesek has an average reputation (10+)
Default Re: Authenticate SecureClient with digital certificates
I don't know. I'm thinking of doing the same thing so I knew which articles I had seen that looked relevant. I was hoping you could tell me what you do to make it work. :-)

Ray
Reply With Quote
  #6 (permalink)  
Old 2007-02-15
Junior Member
  
Join Date: 2006-11-11
Posts: 16
Rep Power: 0
slimo has an average reputation (10+)
Default Re: Authenticate SecureClient with digital certificates
I succeeded to be able to authenticate with certificates.
Like I said early: I had to go to the FW object, VPN sheet, then add a certificate on the list. This will generate a certificate request. I took that request to my Microsoft Enterprise CA and I submitted the request. With the reply, I gone back to my FW and completed the certificate request. Voila that 's alll

PS: be sure also to define the external CA in OPSec

Slimo
Reply With Quote
  #7 (permalink)  
Old 2007-02-15
Senior Member
  
Join Date: 2006-03-19
Location: Northern Ohio
Posts: 909
Rep Power: 3
RayPesek has an average reputation (10+)
Default Re: Authenticate SecureClient with digital certificates
Nice work.

Thanks for the follow-up,

Ray
Reply With Quote
  #8 (permalink)  
Old 2007-02-19
Junior Member
  
Join Date: 2006-11-11
Posts: 16
Rep Power: 0
slimo has an average reputation (10+)
Default Re: Authenticate SecureClient with digital certificates
Do you know a way to force the SecureClient users to use only certificates for authentication? I don't want them to use MS AD username and password

Thanks
Slimo
Reply With Quote
  #9 (permalink)  
Old 2007-02-21
Senior Member
  
Join Date: 2005-08-29
Location: Upstate NY
Posts: 1,670
Rep Power: 5
chillyjim has an average reputation (10+)
Send a message via AIM to chillyjim Send a message via Skype™ to chillyjim
Default Re: Authenticate SecureClient with digital certificates
Set the user object to authenticate with "undefined" and that should do it.
Reply With Quote
  #10 (permalink)  
Old 2007-02-28
Junior Member
  
Join Date: 2006-11-11
Posts: 16
Rep Power: 0
slimo has an average reputation (10+)
Default Re: Authenticate SecureClient with digital certificates
Thanks for help. It worked
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 16:28.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0