topic Re: Checkpoint R81.10 VPN MFA with OKTA radius in SASE and Remote Access

Checkpoint R81.10 VPN MFA with OKTA radius

seanmc12 — Sun, 12 Nov 2023 21:29:06 GMT

I am trying to setup MFA on my Checkpoint VPN via OKTA radius agent. I'm utilizing the steps provided by Checkpoint which point to OKTA. We went through every step with the exception of the last couple that involve Mobile section at the tail end as we are not utilizing that. We are running R81.10 and some of the items are in different places from the documentation we were provided by Checkpoint. Everything is configured and then on the Client itself, we changed from Username/Password auth to STANDARD. After doing that, we are able to hit the connect button on the client, it prompts you to enter in your username, but the password field is greyed out. You press continue and then it pops up a box that says Response, but I'm not receiving any pushes from OKTA verify, Cell texts or anything for which to enter in a response in the Checkpoint client. Spent 3 hours on the phone with OKTA and Checkpoint support together this morning and ended up just submitting VPN Debug logs and no Checkpoint VPN w/MFA. Anyone else get this to working? Mind sharing your process?

Any help is greatly appreciated.

https://help.okta.com/en-us/content/topics/integrations/check-point-radius-intg.htm

Re: Checkpoint R81.10 VPN MFA with OKTA radius

the_rock — Mon, 13 Nov 2023 03:27:47 GMT

Personally, I think running vpn debugs here is not useful, just my opinion, as you are not having issue with site to site vpn tunnel traffic.

Having read all you indicated, I am fairly confident its something missing in the config. Are you able to share some screenshots of how you configured this? My colleague and I got this working in the lab before and we actually followed document I attached, along with the script on the mgmt server,

Regards,

Andy

Re: Checkpoint R81.10 VPN MFA with OKTA radius

seanmc12 — Mon, 13 Nov 2023 13:30:10 GMT

Attached a screen shots of our config and the Checkpoint provided link to the process. https://help.okta.com/oie/en-us/content/topics/integrations/check-point-radius-intg-conf-gateway.htm On the Client side, we changed the Authentication from Username/PW to Standard. There are some steps regarding enabling Mobile Access at the bottom of the instructions. "Configure browser access to the Check Point Mobile Access SSL VPN portal"

Does that need to be done?

Re: Checkpoint R81.10 VPN MFA with OKTA radius

the_rock — Mon, 13 Nov 2023 13:46:20 GMT

This is what Im interested in. Are you able to send that please? And blur out any sensitive info.

Andy

Re: Checkpoint R81.10 VPN MFA with OKTA radius

seanmc12 — Mon, 13 Nov 2023 14:02:08 GMT

Here you go

Re: Checkpoint R81.10 VPN MFA with OKTA radius

the_rock — Mon, 13 Nov 2023 14:19:20 GMT

I think the way it was done is the issue, in my opinion. Whenever I did this with the customers, I would add auth methods as SEPARATE entities (if you will), meaning say if radius is preferred auth method, then you set it as first in the list, or even set it as global auth method and then have it as only method in the list. Do you require anyone to log in as user/pass? If you do, then simply enable it on the user settings locally in the dashboard and have user/pass method as separate auth method in the list (radius first, user/pass second).

Makes sense?

Andy

Re: Checkpoint R81.10 VPN MFA with OKTA radius

Alex- — Mon, 13 Nov 2023 17:38:50 GMT

I agree. I deployed Okta w/ RADIUS with a dedicated authentication realm and it worked.

It's been a while but ensure you use samaccountname + domain name as login factor and check that Okta performs primary authentication and your users and groups are provisioned within the Okta directory.

Re: Checkpoint R81.10 VPN MFA with OKTA radius

the_rock — Mon, 13 Nov 2023 17:40:24 GMT

Exactly. I had done it that way 3 times and worked fine.

Andy