topic Re: Approve MS smartphone delay RADIUS in General Topics

Approve MS smartphone delay RADIUS

RemoteUser — Mon, 07 Apr 2025 10:23:07 GMT

hello everyone, we are experiencing a problem with ms authentication on smartphone is taking about 20 seconds to do the approve... it used to take about 5 seconds, is there something checkpoint side we can check?
the vpngw is running R81.20 JH53

Re: Approve MS smartphone delay RADIUS

PhoneBoy — Mon, 07 Apr 2025 15:47:53 GMT

What's the actual authentication flow here where this step is required?
Have you checked with tcpdump to see which end is causing the delay?

Re: Approve MS smartphone delay RADIUS

RemoteUser — Mon, 07 Apr 2025 16:13:15 GMT

The VPN client request to Radius client
Radius request to Primary AUthN (active directory)
And then to Multi-Factor Auth reuqest

CKP > NPS > AAD

How can i capture traffic, personally i've the same issue but if i disconnect from the vpn checkpoint i lost the session

Re: Approve MS smartphone delay RADIUS

PhoneBoy — Mon, 07 Apr 2025 17:32:16 GMT

This would most likely have to be captured on the gateway while you (or an affected user) are connecting via a VPN client.
It's also not clear where the MFA is coming from...is it a different authentication method you've configured?

Re: Approve MS smartphone delay RADIUS

RemoteUser — Mon, 07 Apr 2025 18:21:07 GMT

Azure MFA and Check Point VPN. The connections it's with Azure AD and the NPS extension for Azure MFA
if i want to collect tcpdumps myself how can i do it? if i disconnect to replicate the problem i also lose connectivity....

Re: Approve MS smartphone delay RADIUS

PhoneBoy — Mon, 07 Apr 2025 18:30:50 GMT

Please provide a screenshot of this portion of the relevant gateway/cluster object so I can understand how you have this configured on the Check Point side.
In general, if you're doing MFA with Azure AD, you should be using SAML instead of RADIUS.

Re: Approve MS smartphone delay RADIUS

RemoteUser — Mon, 07 Apr 2025 18:47:38 GMT

Re: Approve MS smartphone delay RADIUS

PhoneBoy — Mon, 07 Apr 2025 19:52:48 GMT

Does Identity Provider refer to Azure AD?
Curious why you're doing RADIUS as a separate step here.

Re: Approve MS smartphone delay RADIUS

Ruan_Kotze — Tue, 08 Apr 2025 05:51:21 GMT

Some unsolicited advice - seeing as you're already integrated with Entra (based on Identity Provider Entry) I would look to move away from Radius auth and its dependencies and move to straight SAML auth if at all possible.

Re: Approve MS smartphone delay RADIUS

RemoteUser — Tue, 08 Apr 2025 06:39:15 GMT

Why? if you don't mind me asking.

Re: Approve MS smartphone delay RADIUS

Ruan_Kotze — Tue, 08 Apr 2025 06:55:19 GMT

Don't mind at all.

It's "cleaner".
From an identity security perspective, we can pull in what Microsoft brings to the table in terms of conditional access, risk-based sign ins, impossible travel etc.
We can do number matching as opposed to just approvals
We can now Geo-restrict logins using conditional access policies, something that has been a big pain on check Point traditionally (for me at least).
Integration works better in terms of access roles etc., no need for legacy objects
We have the option to force 2nd factor every auth, or re-use existing session tokens for a seamless experience

That's off the top of my head, sure I'll be able to put down more if I think about it. Of course every environment and use case is different, but the above has been true for us.

-Ruan