https://community.checkpoint.com/t5/General-Topics/Identity-collectors-and-captive-portal/m-p/83534#M16896 <P>If MFA is mandated and identity collectors are desired so that AD groups can be used, is it possible to use both captive portal (MFA) and identity collectors (AD groups query)?</P> Tue, 28 Apr 2020 19:16:55 GMT C_M 2020-04-28T19:16:55Z https://community.checkpoint.com/t5/General-Topics/Identity-collectors-and-captive-portal/m-p/83513#M16890 <P>Is it possible to use captive portal mfa with identity collectors?</P><P>&nbsp;</P> Tue, 28 Apr 2020 17:00:10 GMT https://community.checkpoint.com/t5/General-Topics/Identity-collectors-and-captive-portal/m-p/83513#M16890 C_M 2020-04-28T17:00:10Z https://community.checkpoint.com/t5/General-Topics/Identity-collectors-and-captive-portal/m-p/83533#M16895 Identity Collector will pull information from Active Directory and doesn't use MFA.<BR />If you want some users to authenticate with Captive Portal and MFA from a non-AD identity source, you can do that too. Tue, 28 Apr 2020 19:14:05 GMT https://community.checkpoint.com/t5/General-Topics/Identity-collectors-and-captive-portal/m-p/83533#M16895 PhoneBoy 2020-04-28T19:14:05Z https://community.checkpoint.com/t5/General-Topics/Identity-collectors-and-captive-portal/m-p/83534#M16896 <P>If MFA is mandated and identity collectors are desired so that AD groups can be used, is it possible to use both captive portal (MFA) and identity collectors (AD groups query)?</P> Tue, 28 Apr 2020 19:16:55 GMT https://community.checkpoint.com/t5/General-Topics/Identity-collectors-and-captive-portal/m-p/83534#M16896 C_M 2020-04-28T19:16:55Z https://community.checkpoint.com/t5/General-Topics/Identity-collectors-and-captive-portal/m-p/83549#M16903 Identity Collector is a specific tool that runs on a Windows machine that relays people who have already authenticated with Active Directory to a Check Point gateway.<BR />Active Directory is performing the authentication of the user in this case, thus we do not get involved with MFA here.<BR />Based on information gathered from Active Directory, Identity Collector communicates which user authenticated at which IP address to the configured Check Point gateway.<BR /><BR />Captive Portal is another way to acquire identities.<BR />Depending on the authentication mechanism used, Captive Portal can require MFA.<BR /><BR />Can both methods be used to gather identities? Yes.<BR />Regardless of how the identity is gathered, the gateway looks up the users in LDAP to determine what Access Roles (and rules) apply.<BR /> Tue, 28 Apr 2020 22:54:12 GMT https://community.checkpoint.com/t5/General-Topics/Identity-collectors-and-captive-portal/m-p/83549#M16903 PhoneBoy 2020-04-28T22:54:12Z https://community.checkpoint.com/t5/General-Topics/Identity-collectors-and-captive-portal/m-p/83657#M16930 <P><SPAN>"Regardless of how the identity is gathered, the gateway looks up the users in LDAP to determine what Access Roles (and rules) apply."</SPAN></P><P>&nbsp;</P><P><SPAN>True if f the Users in the Access Role is set to AD domain (or other LDAP source). You can also select Internal User Groups, which would then not look up users in LDAP to determine Access Role</SPAN></P><P>&nbsp;</P><P><SPAN>Dave</SPAN></P><P><SPAN>(Been doing a lot of testing with Access Roles and authentication methods the last few days)</SPAN></P> Wed, 29 Apr 2020 19:01:02 GMT https://community.checkpoint.com/t5/General-Topics/Identity-collectors-and-captive-portal/m-p/83657#M16930 David_C1 2020-04-29T19:01:02Z