https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-VPN-WebVPN-Mobile-Access-amp-Duo-MFA-Duo/m-p/97471#M10444 <P>Hello everyone,</P><P>For anyone using Duo as their 2 factor authentication service, I'd like to share this information:</P><P>Duo works flawlessly up till version 4.0.2, once we upgraded to the Duo Auth Proxy 5.0.1 (latest version), upon confirming the Duo Push Notification, the connection to the VPN does not work anymore (Check Point Gateway drops the traffic).</P><P>Turns out that in V<SPAN class="test-id__field-value slds-form-element__static slds-grow is-read-only">ersion 5.0.0 the Duo Authentication Proxy began sending a RADIUS Message-Authenticator attribute (attribute ID 80) in all responses, which the Check Point gateways don't recognize and drop the traffic.</SPAN></P><P>The solution from Check Point (SR was created, resolved, now closed) is to set the <STRONG>radius_ignore</STRONG> value to 80. Smart Console Menu -&gt; Global Properties -&gt; Advanced -&gt; Configure -&gt; FireWall-1 -&gt; Authentication -&gt; RADIUS.</P><P>Afterwards the authentication works again. After having contact with the Duo support, they created a KB for that problem as well:</P><P><A href="https://help.duo.com/s/article/6328?language=en_US" target="_blank" rel="noopener">https://help.duo.com/s/article/6328?language=en_US</A></P><P>Apparently this will be resolved in the upcoming Duo authentication release v5.0.2</P><P>Greetings,</P><P>Chris</P> Thu, 24 Sep 2020 15:03:29 GMT christophe 2020-09-24T15:03:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-VPN-WebVPN-Mobile-Access-amp-Duo-MFA-Duo/m-p/97471#M10444 <P>Hello everyone,</P><P>For anyone using Duo as their 2 factor authentication service, I'd like to share this information:</P><P>Duo works flawlessly up till version 4.0.2, once we upgraded to the Duo Auth Proxy 5.0.1 (latest version), upon confirming the Duo Push Notification, the connection to the VPN does not work anymore (Check Point Gateway drops the traffic).</P><P>Turns out that in V<SPAN class="test-id__field-value slds-form-element__static slds-grow is-read-only">ersion 5.0.0 the Duo Authentication Proxy began sending a RADIUS Message-Authenticator attribute (attribute ID 80) in all responses, which the Check Point gateways don't recognize and drop the traffic.</SPAN></P><P>The solution from Check Point (SR was created, resolved, now closed) is to set the <STRONG>radius_ignore</STRONG> value to 80. Smart Console Menu -&gt; Global Properties -&gt; Advanced -&gt; Configure -&gt; FireWall-1 -&gt; Authentication -&gt; RADIUS.</P><P>Afterwards the authentication works again. After having contact with the Duo support, they created a KB for that problem as well:</P><P><A href="https://help.duo.com/s/article/6328?language=en_US" target="_blank" rel="noopener">https://help.duo.com/s/article/6328?language=en_US</A></P><P>Apparently this will be resolved in the upcoming Duo authentication release v5.0.2</P><P>Greetings,</P><P>Chris</P> Thu, 24 Sep 2020 15:03:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-VPN-WebVPN-Mobile-Access-amp-Duo-MFA-Duo/m-p/97471#M10444 christophe 2020-09-24T15:03:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-VPN-WebVPN-Mobile-Access-amp-Duo-MFA-Duo/m-p/221341#M42372 <P>Same solution worked on Windows Server NPS after Windows Security Update&nbsp;<SPAN>KB5040437.</SPAN></P> Fri, 19 Jul 2024 01:18:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-VPN-WebVPN-Mobile-Access-amp-Duo-MFA-Duo/m-p/221341#M42372 spaceForceOne 2024-07-19T01:18:23Z