topic Re: Using MS Active Directory for remote access VPN in SASE and Remote Access

Using MS Active Directory for remote access VPN

Dmitriy_Tiper — Thu, 06 Sep 2018 21:00:51 GMT

Hi everyone,

I totally lost in number of somewhat conflicting documentation and community topics and would be grateful if you can help me.

1. We are on R80.10 version SMS and gateways

3. IP Sec VPN, Mobile access and Identity awareness blades are enabled

2. We are using Check Point Mobile for Windows client and presently users are created locally.

3. Local users are also assigned to users groups and user groups assigned to users roles that used in access rules to distinguish what users can and cannot access

4. I need to move to authenticate users against Microsoft AD and also to use AD user group user belongs to in MS AD in access rules for remote access VPN - i.e. some sort of authorization.

5. Do I need user directory license if I just want to enable remote VPN authentication against AD? There is no any MS AD management from Check Point side, just querying AD for user presence and if password is valid.

6. What about using MS AD user group user belongs to in access rules? During initial setup for Mobile access I said that I don't want to use AD integration.

7. To make things more complicated, I need then to move to Radius authentication with soft RSA token and still be able to query MS AD for a user group connecting user belongs to to be able to use AD group in access rules.

Your help is really appreciated!

Re: Using MS Active Directory for remote access VPN

Simon_Drapeau — Fri, 24 Jan 2020 17:48:43 GMT

Point 7 ... is relevant for me. How do you proceed to implement this configuration ?

Simon

Re: Using MS Active Directory for remote access VPN

Maarten_Sjouw — Fri, 24 Jan 2020 18:26:47 GMT

2 factor authentication works fine when you do not use secondary connect. When you do use it the client will prompt you for each gateway your client connects to, to authenticate again for each gateway.

Re: Using MS Active Directory for remote access VPN

Simon_Drapeau — Fri, 24 Jan 2020 19:19:18 GMT

Thanks for your reply. I agree your point about the secondary connect. My questioning is more about the feasibility of our new configuration.

What I'm expecting :
1- Authenticate RA user (Radius gemalto) with full UPN (xxx@xxx.xxx) - Working at this time ... secondly using this RA user newly authenticated in ...
2- Many Access role based on group membership (IA - AD query) to permit access to specific internal resources.

At this time, it seems that the AccessRole rule doesn't trap the user because group membership has not retrieved successfully. I tried to find how to do that. Maybe sk147417. Just a little bit confused. At this point, any hints will be helpful ? that's why point 7 could be relevant for me.

Regards, Simon

Re: Using MS Active Directory for remote access VPN

Simon_Drapeau — Fri, 24 Jan 2020 21:45:57 GMT

Worked now .. no need to response.
I have one more tricky thing to do is to configure different IP pool for each AD_Group (ipassignment.conf) .. planned at the beginning of next week.

Simon