Support Center > Search Results > SecureKnowledge Details
Machine Certificate Installation on Security Gateway for Authentication to VPN Clients
Solution

This solution describes Machine Authentication configuration on the Security Gateway.
This Machine Authentication solution is relevant for E80.71 (and above) Remote Access Clients and requires a Security Gateway hotfix installation.

Contact Check Point Solution Center to get the required hotfix.
For client configuration, refer to the E80.71 Remote Access Clients Administration Guide.

Machine Authentication Configuration on the Gateway

By default, the Security Gateway allows VPN connections with machine and user authentication, and with user authentication only.
To only allow clients that connect using machine authentication only, or machine and user authentication, edit the gateway configuration.
To configure the gateway to allow only clients that connect using machine authentication only, or machine and user authentication:

  1. On the Security Gateway run:

    • # ckp_regedit -a SOFTWARE/CheckPoint/VPN1 enforce_machine_cert_auth 1  

  2. Install policy.

    • Connections with user authentication only are rejected.

To allow clients to connect without a machine certificate:

  1. On the Security Gateway run:

    • # ckp_regedit -d SOFTWARE/CheckPoint/VPN1 enforce_machine_cert_auth 

  2. Install policy.

    •  All valid authentication is accepted.

To check if machine authentication is enforced:

On the Security Gateway, run:

# ckp_regedit -p SOFTWARE/CheckPoint/VPN1 | grep enforce_machine_cert_auth

• The following output shows that the Security Gateway allows only users that connect with machine only, or machine and user authentication:

SOFTWARE/CheckPoint/VPN1 : { CurrentVersion=[s]6.0 enforce_machine_cert_auth=[s]1 }

• An empty output shows that the feature is in legacy mode.

Configuring the LDAP Server

Machine Authentication must work with an LDAP server (defined in SmartDashboard or SmartConsole) that serves as a Trusted CA. To add and LDAP Server object as a trusted CA:

  • Go to the Servers and OPSEC tab, right-click on Servers and select 'Trusted CAs > New CA > Trusted'.

Machine Authentication in the Security Policy

The Security Policy for Machine Authentication is based on Access Roles rules.

Configuring Machines and Users in an Access Role

  1. Create an Access Role:

    1. In the Users and Administrators section of the objects tree, right-click Access Roles and select New Access Role.
    2. Type a Name for the Access Role. For example, Machine_authentication.

  2. Add the machines to the Access Role:

    1. Click Machines
    2. Click Specific machines/groups
    3. Click + and select the LDAP group that you created in step 1.

  3. Add users to the Access Role:

    1. Click Users
    2. Click Specific users/groups
    3. Click + and select the User Group that you created in step 2. 
    4. Click OK.

  4. Create the Firewall Policy rule:

    1. Go to the Firewall tab and click Policy.
    2. Create a rule
    3. Add the Access Role to Source column of the rule

  5. Install the Access Control Policy.

Example Authentication Rule with an Access Role for Machines and Users

This is an example of an authentication rule with an Access Role for machines and users:

Source Destination  VPN Service  Action   Track

 Machine_authentication

(Access Role)

 Any  Any   Any  drop  Log

The behavior of the rule depends on the configuration of the Access Role.

Here are some examples of Access Role configuration and the resulting behavior of the rule:

 Access Role >Users

 Access Role >Machines

Access Role> Other pages 

 Client Connects with Matches if 
 Any A machine group  Any 

Machine authentication

(Machine only or Machine

and User )

Machine matches the

LDAP Machine group

 A user group Any  Any 

User authentication

(User only or Machine

and User) 

User matches the LDAP

User group 

 A user group A machine group Any 

Machine and User

authentication 

Machine and user both

match appropriate

LDAP groups 

 Any Any   Any  

User authentication

(User only or Machine  

and User)

 Any user connects

 

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment