topic Re: MFA and secondary connect / Multi sites in Firewall and Security Management

MFA and secondary connect / Multi sites

Galb — Tue, 13 Apr 2021 07:12:09 GMT

Hello

When implementing MFA and Radius authentication such as Dou/OKTA in a multi sites scenario.

is the user getting a separate MFA request for each gateway when accessing a resource that is behind it even when password caching is defined ?

Thanks

Re: MFA and secondary connect / Multi sites

Ave_Joe — Tue, 13 Apr 2021 13:54:01 GMT

Yes. In our testing of MFA using MS Authenticator this was the case. At this time I don't know if there is a resolution to this issue. Deeper investigation into our setup showed that MS NPS (Radius Server) could not take into account any previous session information. So users saw Authenticator prompts everytime the VPN client connected to a Secondary Gateway.

I think mileage may vary depending on the radius server implementation as I know that some radius implementations can account for existing sessions and then by-pass the MFA request.

It would be great if CP could let us know what if anything is on the roadmap for this MFA use case. I would certainly welcome a resolution.

Re: MFA and secondary connect / Multi sites

Tzvi_Katz — Tue, 13 Apr 2021 14:45:54 GMT

The challenge here is around the fact that each secondary GW is not aware of the second factor entered by the primary GW. In a RADIUS example the VPN treat the authentication as black box and passes the challenges to the client till the RADIUS server is done.

So the options are:

1. Make the RADIUS server aware of prior authentications and not prompt second factor

2. Work towards having SAML based authentication in the client in order to leverage the IDP SSO.

Re: MFA and secondary connect / Multi sites

Ave_Joe — Tue, 13 Apr 2021 15:03:39 GMT

Well said. Thanks.

When will number 2 above make it into a product release? This seems the best direction forward.

Re: MFA and secondary connect / Multi sites

Galb — Wed, 14 Apr 2021 12:53:54 GMT

Thanks

I guess SAML can be the solution since RADIUS/RADIUS proxies can support session cookie to bypass the second MFA authentication.
But, which version of CP and client support SAML..?

Re: MFA and secondary connect / Multi sites

Tzvi_Katz — Sun, 18 Apr 2021 09:46:28 GMT

Hi,

For general availability: The next R80.40 Jumbo should have the SAML capabilities (should be released before the end of the month) and the Client side GA should be released in the next few days.

For Customer Release - one is available through Solution Center for several months now.

Re: MFA and secondary connect / Multi sites

Galb — Sun, 18 Apr 2021 14:51:35 GMT

Thanks Tzvi

I will wait till the end of the month to test both

Re: MFA and secondary connect / Multi sites

Galb — Sun, 18 Apr 2021 15:25:03 GMT

Just one more question..
Is there a best practice recommendation to implementing/not implementing "Secondary Connect"?
I think that secondary connect is a more "Slick" solution than routing the traffic via the STS..

But maybe I am wrong here?

Re: MFA and secondary connect / Multi sites

Galb — Thu, 22 Apr 2021 06:48:38 GMT

Is this in take 102?
I have tried to look for the specific support in the release notes ..

Re: MFA and secondary connect / Multi sites

Tzvi_Katz — Thu, 22 Apr 2021 09:53:22 GMT

Hi,

It should be in the next take following 102, it seems it had yet to be released. Stay tuned, since I understand it should be released shortly.

Thanks

Re: MFA and secondary connect / Multi sites

Galb — Thu, 22 Apr 2021 16:02:53 GMT

Thank!

Re: MFA and secondary connect / Multi sites

Tzvi_Katz — Mon, 26 Apr 2021 06:52:00 GMT

Hello,

R80.40 JHF T114 was released with SAML support for RA IPsec VPN

Re: MFA and secondary connect / Multi sites

Galb — Mon, 26 Apr 2021 11:06:27 GMT

Thanks for the update!