X509 Authentication and SecureClient

[ocallaghanpaddy]

Hi all,

A client of mine is interested in making VPN connections as transparent as possible. Is it possible to use a certifiacte to authenticate the connection instead of user a username and password?

Any help would be brilliant.

Thanks,

Pat

[RayPesek]

Easily, if you want to use the Check Point Internal Certificate Authority on the SmartCenter. Just remember that you may end up authenticating the computer and not the user. It's generally more secure as well, if you protect the certificate.

How exactly do you want this to work?

Ray

[ocallaghanpaddy]

Hi Ray,

Thanks for your help with this!

The client wants the VPN to initiate transparently when the user is off the local LAN. He does not want any user name or password prompt.

Is this difficult to implement using Secure remote?

thanks,

Pat

[RayPesek]

I would certainly discourage that unless they have a rock-solid method of keeping unauthorized people out of the laptops, but it's their problem.

Create a user certificate and save it to a file. Log into the laptop, double-click on the certificate file, enter the PIN and let it import into the CAPI store. Set up SecureClient to use certificate authentication.

Ray

[ocallaghanpaddy]

Thanks for your help Ray! Your a credit to the industry..

[RayPesek]

Thanks, I hope it helped. If you have any problems, just post back.

Take care,

Ray

[tyoung]

Quote:

Originally Posted by RayPesek

Thanks, I hope it helped. If you have any problems, just post back.

Take care,

Ray

I'm looking to do this very thing, but after following your directions the client still requires a password in a "Password:" field just below the greyed out Certificate field, which shows the certificate file name.
Am I missing somthing?

[ocallaghanpaddy]

I too am still having this issue. Is there any way for only certificate based authentication and for secure client to connect automatically and stay connected withing prompting the end user?

[RayPesek]

Sorry for the delay in replying. When you imported the certificate into the CAPI store, did you check the boxes to NOT require a password to use it?

Ray

[MarioL]

Just to reiterate Ray's warning:
Using certificates without any password/PIN, means that anyone that steals a laptop or a certificate for that mater will be able to connect straight away into the LAN.

I understand that ease of use is important, but this is a VERY serious flaw in your security and you REALLY should consider something different.

Having a PIN on the certificate would make it very robust, as opposed to pretty weak, please consider that.

You can use a 4 digit PIN, like a phone PIN, or ideally something stronger, like a normal password. It shouldn't be that hard for a user to remember one such thing and enter it when requested.

Sorry for the rant...

[ocallaghanpaddy]

Hi Guys,

Sorry for the delay in replying.

Everything worked fine. I explained the security issues to the client but in the end I had to follow their request.

Thanks a million for all your help!!!

Pat