CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

  1. #1
    Join Date
    2017-05-29
    Posts
    11
    Rep Power
    0

    Default Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

    Hi everybody,

    I've recently started to put my hands on the Identity Awareness Blade, exploring all the possibilities that it offers (Captive Portal, custom via API, etc...).

    I've been working on the Identity Collector scenario for a few days, which is the one that fits our needs the better.

    Identity Collector is up and running, collecting identities from some AD and injecting that in some of my CheckPoint gateways. I've created the LDAP Account Unit which is also working, and I can now use the AD groups as a "Source" in my rules which is what I was looking for. Pretty basic stuff and it's working great right now.


    But...


    Our production deployment is more complex than that and is pretty unusual (historical reasons, you know what I mean..). Basicly, without entering into the details, what I would like to do is to :

    - Fetch the Identities from domain X.COM (ActiveDirectory)
    - Fetch the users associated groups from domain Y.COM (ActiveDirectory OR OpenLDAP)


    I know this looks weird, but all those parts are handled by different teams in a complex environment and is not subject to changes in a near future, so I try to deal with it.

    X.COM is the "real" domain where the PC's are registered (so it contains the identities).
    Y.COM is a domain that acts as a pure LDAP for authentication and authorization purposes ONLY, all the groups are defined here and only here. (ActiveDirectory or OpenLDAP, we have both to serve this task)

    So, here is my question : is it possible to do that?

    I've tried to configure my LDAP Account Units with Y.COM, but it's never looking into it (I suppose it has to match the users domain received from the Identity Collector... right?)
    I tried differents "hacks" to cheat the gateways, without success...

    Does anyone knows if there is any way to do that?

    Thank you and sorry for the mess. :-)

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,651
    Rep Power
    10

    Default Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

    Quote Originally Posted by julzor View Post
    Hi everybody,

    I've recently started to put my hands on the Identity Awareness Blade, exploring all the possibilities that it offers (Captive Portal, custom via API, etc...).

    I've been working on the Identity Collector scenario for a few days, which is the one that fits our needs the better.

    Identity Collector is up and running, collecting identities from some AD and injecting that in some of my CheckPoint gateways. I've created the LDAP Account Unit which is also working, and I can now use the AD groups as a "Source" in my rules which is what I was looking for. Pretty basic stuff and it's working great right now.


    But...


    Our production deployment is more complex than that and is pretty unusual (historical reasons, you know what I mean..). Basicly, without entering into the details, what I would like to do is to :

    - Fetch the Identities from domain X.COM (ActiveDirectory)
    - Fetch the users associated groups from domain Y.COM (ActiveDirectory OR OpenLDAP)


    I know this looks weird, but all those parts are handled by different teams in a complex environment and is not subject to changes in a near future, so I try to deal with it.

    X.COM is the "real" domain where the PC's are registered (so it contains the identities).
    Y.COM is a domain that acts as a pure LDAP for authentication and authorization purposes ONLY, all the groups are defined here and only here. (ActiveDirectory or OpenLDAP, we have both to serve this task)

    So, here is my question : is it possible to do that?

    I've tried to configure my LDAP Account Units with Y.COM, but it's never looking into it (I suppose it has to match the users domain received from the Identity Collector... right?)
    I tried differents "hacks" to cheat the gateways, without success...

    Does anyone knows if there is any way to do that?

    Thank you and sorry for the mess. :-)
    so I understand, and please, don't take that as hope... :D

    Users are in X.COM, but the groups (that you want tied to access roles) are in Y.COM?

    cn=group_name,ou=group_name,DC=Y,DC=COM

    which contains for example..

    cn=BrantleyCoile,ou=users,DC=X,DC=COM
    cn=Cthulhu,ou=users,DC=X,DC=COM

    Something like that?

  3. #3
    Join Date
    2007-06-04
    Posts
    3,303
    Rep Power
    17

    Default Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

    Possibly this may be a language/choice of words thing however Check Point Identity Awareness won't look at Groups in AD.

    What Identity Awareness is doing is reading AD Server Logs so that as a User Authenticates against a Domain Server then the Event registers in the Log on the AD Server that is queried by the IA Collector.

    You are not reading AD but Logs on the AD Server which is why IA has to know about ALL Domain Controllers in a Domain. As such you don't fetch identities from X.COM Domain Servers, but read the Logs on X.COM Domain Controllers.

    You also mention about using AD Groups. Are you attempting to configure an LDAP Group or an Access Role that then maps to a Group in AD. Very different things. LDAP Group is where you have Authenticated against the Check Point against the Account Unit and then sees that part of a Group in AD.

    Access Role works by when the user logs into the Laptop/Desktop then an AD Event is generated and that Log Entry should contain the Groups that the User belongs too. The IA Logs then shows that the User is part of those groups and maps the User into the Access Role. You are not querying the AD itself for User Group membership.

    So the first thing is that when a user logs into the Network which Domain do they authenticate against.

    From your description then if I have understood then the Users themselves are defined in the X.COM domain and that is where they login and generate a login event in AD. The Groups that the Users belong too are defined on Y.COM BUT Users don't actually login to Y.COM?

    So what would need is that the Logs in X.COM AD Servers actually show the Group Membership of the User as well which am guessing at the moment that they don't. The User Groups being on Y.COM but when user logs into the Laptop/Desktop then the Users authenticate against X.COM so doesn't have the Group Membership Login Events that the IA looking for. Y.COM not having the Users Login on their Laptops against that Domain won't have Login Events so IA has nothing to work from.

    Not sure how would resolve that as IA fundamentally requires the information of Group Membership to be in the Login Event Details so can map the user to the Access Role.

  4. #4
    Join Date
    2017-05-29
    Posts
    11
    Rep Power
    0

    Default Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

    Thank you all for the answers!

    I could finally make it works with Identity Collector Alias features and some filters.

    Your assumptions are right : user are NOT authenticated on the CheckPoint gateway and what I just want to do is Access Role using LDAP groups.
    The users are authenticating themselves onto X.COM but the groups are in Y.COM.

    See the full details on the original thread.

    Thank you :-)

Similar Threads

  1. IA - domain group issue
    By DannyW in forum Identity Awareness Blade
    Replies: 4
    Last Post: 2015-08-16, 10:40
  2. Using Identity Awareness with NAT between CMA & Domain Controllers
    By northlandboy in forum Identity Awareness Blade
    Replies: 8
    Last Post: 2015-05-21, 02:07
  3. Replies: 3
    Last Post: 2013-02-21, 01:11
  4. Encryption Domain with Exclusion Group
    By Izzio in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 6
    Last Post: 2009-03-12, 18:40
  5. Voip domain objects on simple group
    By stephan411 in forum Voice over IP Blade (VoIP)
    Replies: 0
    Last Post: 2006-12-19, 07:09

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •