Support Center > Search Results > SecureKnowledge Details
Machine Certificate Installation on Security Gateway for Authentication to VPN Clients
Solution

This solution describes Machine Authentication configuration on the Security Gateway.
This Machine Authentication solution is relevant for E80.71 (and above) Remote Access Clients and requires a Security Gateway hotfix installation.

Contact Check Point Solution Center via the local Check Point office to get the required hotfix.
For client configuration, refer to the E80.71 Remote Access Clients Administration Guide.

Machine Authentication Configuration on the Gateway

By default, the Security Gateway allows VPN connections with machine and user authentication, and with user authentication only.
To only allow clients that connect using machine authentication only, or machine and user authentication, edit the gateway configuration.
To configure the gateway to allow only clients that connect using machine authentication only, or machine and user authentication:

  1. On the Security Gateway run:

    • # ckp_regedit -a SOFTWARE/CheckPoint/VPN1 enforce_machine_cert_auth 1  

  2. Install policy.

    • Connections with user authentication only are rejected.

To allow clients to connect without a machine certificate:

  1. On the Security Gateway run:

    • # ckp_regedit -d SOFTWARE/CheckPoint/VPN1 enforce_machine_cert_auth 

  2. Install policy.

    •  All valid authentication is accepted.

 

Note: 

If machine authentication (enforce_machine_cert_auth) is enabled, and there is a problem with the machine certificate (CRL problem, expired certificate, missing certificate, etc), users will not be allowed to connect. 

To allow for machine authentication with fallback to user authentication, do not set enforce_machine_cert_auth.

Not enabling enforce_machine_cert_auth will allow for:

  • Machine authentication (provided the certificate is installed/valid, and trac.defaults is configured for machine tunnel) 
  • AND/OR
  • User authentication

 

To check if machine authentication is enforced:

On the Security Gateway, run:

# ckp_regedit -p SOFTWARE/CheckPoint/VPN1 | grep enforce_machine_cert_auth

• The following output shows that machine authentication is a mandatory authentication factor in connection to Security Gateway:

SOFTWARE/CheckPoint/VPN1 : { CurrentVersion=[s]6.0 enforce_machine_cert_auth=[s]1 }

• An empty output shows that the feature is in legacy mode and other authentication methods which not include machine are also allowed.


Note: Machine certificate solution is VSX supported.

Machine Authentication Configuration on SmartDashboard

  1. Configure the LDAP server, so the Security Gateway will be able to fetch the machine information from it.


  2. Configure the LDAP CA to be a trusted CA:

    • Click on Manage > Servers and OPSEC Applications > New > Certificate Authority > Trusted.

Machine Authentication in the Security Policy

The Security Policy for Machine Authentication is based on Access Roles rules.

Configuring Machines and Users in an Access Role

  1. Create an Access Role:

    1. In the Users and Administrators section of the objects tree, right-click Access Roles and select New Access Role.
    2. Type a Name for the Access Role. For example, Machine_authentication.

  2. Add the machines to the Access Role:

    1. Click Machines
    2. Click Specific machines/groups
    3. Choose the LDAP machine group.
    4. Click OK

  3. Add users to the Access Role:

    1. Click Users
    2. Click Specific users/groups
    3. Choose the LDAP user group . 
    4. Click OK.

  4. Create the Firewall Policy rule:

    1. Go to the Firewall tab and click Policy.
    2. Create a rule
    3. Add the Access Role to Source column of the rule

  5. Install the Access Control Policy.

Example Authentication Rule with an Access Role for Machines and Users

This is an example of an authentication rule with an Access Role for machines and users:

Source Destination  VPN Service  Action   Track

 Machine_authentication

(Access Role)

 Any  Any   Any  drop  Log

The behavior of the rule depends on the configuration of the Access Role.

Here are some examples of Access Role configuration and the resulting behavior of the rule:

 Access Role >Users

 Access Role >Machines

Access Role> Other pages 

 Client Connects with Matches if 
 Any A machine group  Any 

Machine authentication

(Machine only or Machine

and User )

Machine matches the

LDAP Machine group

 A user group Any  Any 

User authentication

(User only or Machine

and User) 

User matches the LDAP

User group 

 A user group A machine group Any 

Machine and User

authentication 

Machine and user both

match appropriate

LDAP groups 

 Any Any   Any  

User authentication

(User only or Machine  

and User)

 Any user connects



Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment