YAIAF – Yet Another IA Fix for Multiple AUs in a AD Domain

DANGER WILL ROBINSON, DANGER

jpg

If you have a single AU in a single AD domain, ignore this

When your picker chooses an access role, the picker will label which AU is associated with that role and store it on the firewall.

So here we are creating a group US-HQ-Admins choosen from the SIberia AU. There is only 1 AD domain ‘abc.com’ but multiple AUs/DCs, we just so happen to be pointing to Siberia AU/DC:

UserPicker Link to AU

When you choose US_HQ_Admins it will eventually be stored in the firewall tagged with the AU it was found in: Siberia:

fwauth.DB

au-config

Why do you care???

Because when the firewall is trying to tie the USER to this group US_HQ_Admins, the firewall will make sure the LDAP query it makes to an AU matches the AU in the group US_HQ_Admins. In this case they both have to be to SIBERIA. If for some reason the firewall uses the FLORIDA AU (multiple AUs in a domain)…..game over sucker.

How to fix this??

Wellllllllll. Get ready.

Add this line into CPprofile.sh and reboot/cpstop/start.

iafix

And the firewall will ignore the AU match and just match up the access role to the LDAP group regardless of what AU it is from.

Pretty cool HUH?

Identity Awareness Multiple Domain Controllers Captive Portal fails

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • iromirek  On February 27, 2015 at 9:50 am

    Where do you see these US-HQ-Admins , isn’t that fwauth.NDB binary file ?
    [Expert@provider1w:0]# file /opt/CPsuite-R77/fw1/database/fwauth.NDB
    /opt/CPsuite-R77/fw1/database/fwauth.NDB: data

    • Dreezman  On February 27, 2015 at 9:55 am

      do a ‘less’ on it, you will see it. ‘less’ decodes best it can.

      • iromirek  On February 27, 2015 at 11:44 am

        got below:
        [Expert@provider1w:0]# less /opt/CPsuite-R77/fw1/database/fwauth.NDB
        “/opt/CPsuite-R77/fw1/database/fwauth.NDB” may be a binary file. See it anyway?

        ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^

  • Dreezman  On February 27, 2015 at 11:47 am

    yes, it will decode whatever it can

  • Dreezman  On May 14, 2015 at 10:30 am

    tr -cd ‘\11\12\15\40-\176’ < fwauth.NDB | more

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: