CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: supporting multiple auth schema - Active Directory Auth and RSA Auth

  1. #1
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,628
    Rep Power
    9

    Default supporting multiple auth schema - Active Directory Auth and RSA Auth

    Hi all, i'm working on a project where i'm trying to support Active Directory base auth as well as SecureID based auth. I'm running into some RSA issues but i expect i'll have that addressed shortly.

    The part i'm having a hard time wrapping my head around is how checkpoint will enumerate group membership. The idea we're testing out is default auth will be active directory except when a users login is bob@rsa which in theory will kick in the external user profile which is set to SecurID for auth. What i'm not understand is how will RSA figure out group membership? I'm being told RSA will communicate the group name the user is a member of. I'm not sure i agree but i'm basing that purely on checkpoint exp with RSA. Normally what i would see is generic* used and what i've seen is the checkpoint will look up group membership via ldap. This of course means the default auth is now securid as well.

    My concern is checkpoint will only look up group membership via ldap for the default auth and not external. I don't know this is true i'm just basing this on some testing i was doing with radius, which is very apples to oranges i know. Maybe no matter what when SecurID is used checkpoint will look up group membership via ldap and there is nothing to worry about.

    Anyway, thanks for any input.

  2. #2
    Join Date
    2012-08-16
    Posts
    181
    Rep Power
    7

    Default Re: supporting multiple auth schema - Active Directory Auth and RSA Auth

    Not sure on the multiple authentication schemes front. Would be interested to know your results.

    For securid, I did some very preliminary testing and found these two resources to be helpful:

    https://supportcenter.checkpoint.com...tionid=sk72940

    https://indeni.com/blog/check-point-...ck-point-gaia/

    So maybe a combination of the two will help you out?

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,628
    Rep Power
    9

    Default Re: supporting multiple auth schema - Active Directory Auth and RSA Auth

    Well.. it hasn't gone well. Using raw securid it seems the best i can do is map all RSA users to a single group and then do something with that group in the firewall policy which isn't good.

    Problem seems to be when bob@rsa is sent @rsa isn't stripped for ldap group membership look up but is for securid auth test. So the only option is to put the external user profile in a single group.

    No good..

    going to try radius to securid server tomorrow.

Similar Threads

  1. SecureClient auth
    By briwang in forum Authentication
    Replies: 5
    Last Post: 2010-06-02, 09:54
  2. Number of auth. attempts with Client Auth
    By netgeo in forum Authentication
    Replies: 1
    Last Post: 2008-12-04, 18:04
  3. User Auth working as Session Auth
    By sergioaf in forum Authentication
    Replies: 2
    Last Post: 2007-01-31, 13:39
  4. Using SSL with client auth
    By greg06 in forum Authentication
    Replies: 1
    Last Post: 2006-03-16, 22:50
  5. Replies: 0
    Last Post: 2005-08-14, 11:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •