Getting Identities with Browser-Based Authentication

Browser-Based AuthenticationClosed Authentication of users in Check Point Identity Awareness web portal - Captive Portal, to which users connect with their web browser to log in and authenticate. lets you acquire identities from unidentified users such as:

  • Managed users connecting to the network from unknown devices such as Linux computers or iPhones.

  • Unmanaged, guest users such as partners or contractors.

If unidentified users try to connect to resources in the network that are restricted to identified users, they are automatically sent to the Captive PortalClosed A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication.. If Transparent KerberosClosed An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). Authentication is configured, the browser attempts to identify users that are logged into the domain through SSO before it shows the Captive Portal.

Scenarios

#1: Recognized User from Unmanaged Device

The CEO of ACME recently bought her own personal iPad. She wants to access the internal Finance Web server from her iPad. Because the iPad is not a member of the Active Directory domain, she cannot identify seamlessly with AD QueryClosed Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server.. But she can enter her AD credentials in the Captive Portal and then get the same access as on her office computer. Her access to resources depends on rules in the Firewall Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase..

Necessary SmartConsole Configuration

  1. Enable Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. on a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

  2. Select Browser-Based Authentication as one of the Identity Sources, and click Settings.

  3. In the Portal Settings window in the User Access section, make sure that Name and password login is selected.

  4. Create a new ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in the Rule Base to let Linda Smith access network destinations. Select accept as the Action.

  5. Right-click the Action column and select More.

    The Action Settings window opens.

  6. Select Enable Identity Captive Portal.

  7. Click OK.

  8. From the Source of the rule, right-click to create an Access Role.

    1. Enter a Name for the Access RoleClosed Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules..

    2. In the Users page, select Specific users and choose Linda Smith.

    3. In the Machines page, make sure that Any machine is selected.

    4. Click OK.

      The Access Role is added to the rule.

      Name

      Source

      Destination

      VPN

      Service

      Action

      Track

      CEO Access

      Linda Smith

      Finance_Server

      Any Traffic

      http

      Accept (Enable Identity Captive Portal)

      Log

User Experience

For the CEO to access the Finance server from her personal device:

  1. She browses to the Finance server from her personal device.

    The Captive Portal opens.

  2. She enters her usual system credentials in the Captive Portal.

    A Welcome to the network window opens.

  3. She can successfully browse to the Finance server.

User Identification in the Logs

The log entry in the Logs tab of the Logs & Monitor view shows how the system recognizes a user from a personal device. This uses the identity acquired from Captive Portal.

#2: Guest Users from Unmanaged Device

Guests frequently come to the ACME company. While they visit, the CEO wants to let them access the Internet on their own laptops.

Amy, the IT administrator configures the Captive Portal to let unregistered guests log in to the portal to get network access. She makes a rule in the Rule Base to let unauthenticated guests access only the Internet.

When guests browse to the Internet, the Captive Portal opens. Guests enter their name, company, email address, and phone number in the portal. They then agree to the terms and conditions written in a network access agreement. Afterward, they are given access to the Internet for a specified time.

Necessary SmartConsole Configuration

To make this scenario work, the IT administrator must:

  1. Enable Identity Awareness Software Blade on a Security Gateway.

  2. Select Browser-Based Authentication as one of the Identity Sources, and click Settings.

  3. In the Portal Settings window in the Users Access section, make sure that Unregistered guest login is selected.

  4. Click Unregistered guest login - Settings.

  5. In the Unregistered Guest Login Settings window, configure:

    • The data guests must enter.

    • For how long users can access the network resources.

    • If a user agreement is necessary and its text.

  6. Create an Access Role rule in the Rule Base, to let identified users access the Internet from the organization:

    1. Right-click Source and select Access Role.

    2. In the Users tab, select All identified users.

  7. Create an Access Role rule in the Rule Base, to let Unauthorized Guests access only the Internet:

    1. Right-click Source and select Access Role.

    2. In the Users tab, select Specific users > Unauthenticated Guests.

    3. Select accept as the Action.

    4. Right-click the Action column and select Edit Properties.

      The Action Properties window opens.

    5. Select Enable Identity Captive Portal.

    6. Click OK.

User Experience

For a guest at ACME to access the Internet:

  1. She browses to an internet site from her laptop.

    The Captive Portal opens because she is not identified and therefore cannot access the Internet.

  2. She enters her identifying data in the Captive Portal and reads through and accepts a network access agreement.

    A Welcome to the network window opens.

  3. She can successfully browse to the Internet for a specified time.