PDA

View Full Version : SecureClient/MS AD security groups



AndyB
2005-12-05, 06:43
Whilst implementing LDAP integration with NGAI R55 I have come across a problem with the firewall not reading the MS AD security groups which I have defined for my SecureClient users.

If I put the AD users in the default container 'users' I can remote in and get authenticated etc. If however, I place the user in a AD security group within the 'users' container it fails.

Everything seems to be in place, I can fetch the branch and view the securtiy group and see the user ID's in it etc. but as mentioned earlier as soon as I try and login/authenticate if fails
.
Would be grateful for any ideas.

regards

CheckMan
2005-12-07, 23:37
Hi AndyB, I have the same problem with my Win2003 AD.... If you find something please let me know!!


Marc

flawless_cowboy
2005-12-10, 15:42
Did you create an LDAP group for secureclient users. By picking a specific group within an LDAP branch. I have been using AD since FP3 + win2k (management server is linux). We are now at NGX + win2k3 with no problems. Try creating a LDAP group that points directly to the CN on the group you want to authenticate from.

CheckMan
2005-12-12, 17:13
No is not working... I work since 1 week directly with CheckPoint and no more result....

CheckMan
2006-01-27, 11:01
Engineers and developpers of CheckPoint works on the problem since 1 month.
I will keep you up to date on this problem, this is a know problem

Marc

Sergej
2006-01-27, 12:23
Few weeks ago I'm accidentally found in CheckPoint documentation interesting thing. It is possible to map Radius users to checkpoint groups. Before I thought that radius users can only be mapped to one generic* user. This can by done via RAD_<group to which the RADIUS users belong>. This feature did not require LDAP license (this license not a problem for all-included license holders).




Granting User Access Based on RADIUS Server Groups

With VPN-1 Pro gateway you can control access for authenticated RADIUS users, based on the RADIUS group of the user. The administrator assigns users to groups. These groups are used in the Security Rule Base to restrict or grant access for users to resources. Users are unaware of the groups to which they belong.

To use RADIUS groups, you must define a return attribute on the RADIUS Server, in the RADIUS user profile. This RADIUS attribute is returned to the VPN-1 gateway that contains the group name ( RAD_<group to which the RADIUS users belong>) to which the users belongs. By default the Class attribute is used (IETF RADIUS attribute number 25), though other RADIUS attributes can be used.

Copyright Check Point Software

P.S. A lot of LDAP related problems fixed in HFA_01 and HFA_02

CheckMan
2006-01-27, 16:29
Gotcha!!! If you a have lot of OU in your Active Directory you need to add each OU (where users is located) in the branch. Checkpoint check the credential first... After it check if the user is located in the LDAP Group (AD Group)

Marc

veste
2006-06-14, 09:46
hello sergej,

thats exactly what i'm looking for :-)))
could you give me some hints or tell me where esactly in the documents you found this.

thx a lot,
stef


Few weeks ago I'm accidentally found in CheckPoint documentation interesting thing. It is possible to map Radius users to checkpoint groups. Before I thought that radius users can only be mapped to one generic* user. This can by done via RAD_<group to which the RADIUS users belong>. This feature did not require LDAP license (this license not a problem for all-included license holders).

P.S. A lot of LDAP related problems fixed in HFA_01 and HFA_02

abusharif
2006-06-14, 09:58
hello sergej,

thats exactly what i'm looking for :-)))
could you give me some hints or tell me where esactly in the documents you found this.

thx a lot,
stef

sk24858 on secureknowledge containts some information about this.

veste
2006-06-16, 02:42
sk24858 on secureknowledge containts some information about this.
thanks!
i know i'm too stupid, but could someone please explain me, howto access
an document directly. if i change the sk# in the url, i get a blabla-page.

regards,
stef