topic Re: MFA VPN screen does not appear on Logon screen in SASE and Remote Access

MFA VPN screen does not appear on Logon screen

MarcuzShinz — Fri, 14 Feb 2025 09:14:37 GMT

Dear Guy!

Currently, we are facing an issue with remote access VPN connectivity on Check Point, specifically:

We are deploying Check Point VPN with MFA via Azure. When we log in to Windows and initiate the VPN connection, an MFA popup appears for authentication, and the connection is successfully established.
The issue we are encountering is that when we attempt to connect to the VPN from the Windows logon screen, the MFA popup does not appear, causing the VPN connection to fail.

=> Is there a way to configure the system to display the MFA popup outside the Windows logon screen?

Re: MFA VPN screen does not appear on Logon screen

PhoneBoy — Fri, 14 Feb 2025 20:03:13 GMT

The ability to prompt for VPN connection before Windows login is a feature we call SDL (Secure Domain Logon).
Because there is no user at the Windows login screen and a browser is needed to perform the authentication, the browser runs with the only permissions it has: SYSTEM.
That's potentially dangerous and thus why we do not support SDL with SAML authentication.

Having said that, we've come up with a different authentication flow for this use case that is more secure.
Specifically, instead of authenticating on the local browser, a QR code is displayed which you can use to complete the authentication flow from a different device.
However, it is currently only available as a customer release tied to a specific version/JHF level and VPN client release.
Contact your local Check Point office for additional information.

Re: MFA VPN screen does not appear on Logon screen

MarcuzShinz — Tue, 04 Mar 2025 07:52:43 GMT

Dear PhoneBoy

You mean we have to drop authentication with SAML and move to QR code according to this SK?

sk102796 - Creating a QR Code using CPQRGen for Mobile applications

Re: MFA VPN screen does not appear on Logon screen

PhoneBoy — Tue, 04 Mar 2025 20:55:58 GMT

The SK you referred to is relevant to creating a QR Code for adding a site to the Check Point Mobile (iOS and Android) app.
It's not relevant to the issue here.

The issue is the SAML authentication must be done on a web browser.
The browser that runs at the Windows Login (where you perform SDL) runs with SYSTEM permissions, which is dangerous.
The QR code in question is to allow you complete the SAML authentication process on a different device (e.g. mobile phone).

As stated previously, the functions that perform the above are not present in the product today.
They are only available in a specific customer release available from your local office.
I assume this will be added to the product in the future, but don't know the specific timeframe for this.