topic Re: VPN client with sms MFA in Endpoint

VPN client with sms MFA

AlainC — Mon, 28 Apr 2025 11:47:50 GMT

Hello,

I've MFA via Microsoft Authenticator setup for my VPN users. This works fine. Users get an extra window from the VPN client to insert their code and the connection is established.

Now I was testing the same process, but now with SMS as MFA. Strangely enough, the SMS is received on the smartphone, but an extra window from the VPN client, to insert the code from the sms, does not appear. I get wrong user or password.

FYI

I use a third party MFA solution and MS NPS.

My VPN client is v88.70

Any idea where to look (VPN client, MFA solution, NPS, Checkpoint firewall/vpn, etc...)?

Re: VPN client with sms MFA

the_rock — Mon, 28 Apr 2025 12:24:24 GMT

What do logs show?

Re: VPN client with sms MFA

Duane_Toler — Mon, 28 Apr 2025 23:18:26 GMT

The 3rd party server needs to send a RADIUS Access-Challenge to the NPS server. If your 3rd party service isn't providing that, then the VPN client will never see that from the NPS server to present the extra login prompt.

With SMS (and voice/call), this usually doesn't work, as the two services are out-of-band of each other (the RADIUS server is effectively hanging while waiting on the 3rd party to respond).

If you believe it should be working, then you'll need to run a VPN debug on the gateway to watch the RADIUS session between the gateway and the NPS server.

For a quick debug, you can just do a "tcpdump -xXvv -nni <interface facing the RADIUS server> port 1812" and look at the RADIUS packet decode (access-accept and access-challenge is what you want to see). If the tcpdump isn't helpful, then you'll need a VPN debug.

Regardless, I wouldn't expect this work.

Re: VPN client with sms MFA

AlainC — Tue, 29 Apr 2025 13:02:06 GMT

Hello,

just been hanging 2 hours in a call with MFA soft provider, digging through logs. All seems fine here.

Can you specify which logs to check and where?

thanks

Re: VPN client with sms MFA

AlainC — Tue, 29 Apr 2025 13:03:42 GMT

Hello,

the radius challenge/accept is sent when using MS authenticator. Why would the same process via SMS block somewhere?

Re: VPN client with sms MFA

AlainC — Tue, 29 Apr 2025 13:05:52 GMT

still in the complete dark here... finding the root is a first step:

MFA soft (i don't think so)

NPS ( i don't think so)

SMS gateway

VPN

VPN client

Re: VPN client with sms MFA

the_rock — Tue, 29 Apr 2025 13:12:23 GMT

I meant smart console logs...

Andy

Re: VPN client with sms MFA

Duane_Toler — Tue, 29 Apr 2025 13:15:19 GMT

Is the gateway still using NPS as the RADIUS server, or a different RADIUS server? Check tcpdump (or cppcap) on the gateway for RADIUS connections (port 1812) to see if the RADIUS messages are being exchanged as you expect. If they are, then you need to run a VPN debug on the gateway and look in $FWDIR/log/vpnd.elg.

Re: VPN client with sms MFA

AlainC — Tue, 29 Apr 2025 15:46:34 GMT

I was able to pinpoint the problem... a faulty return code received on the MFA server from our SMS gateway. Nothing to do with Checkpoint!

Thanks for the reactions!

Re: VPN client with sms MFA

the_rock — Tue, 29 Apr 2025 15:49:55 GMT

Good job!

Re: VPN client with sms MFA

Duane_Toler — Tue, 29 Apr 2025 15:57:18 GMT

Excellent! Good hunting!