https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/173770#M5407 <P>I had customer try that with different domains couple of years ago and we must have spent 10 + hours with TAC and MS support on it, without success. I want to be positive and tell you it would work, but Im also being brutally honest when I say its highly unlikely it will work. Just my feedback about it.</P> Mon, 06 Mar 2023 23:59:00 GMT the_rock 2023-03-06T23:59:00Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/173475#M5403 <P><SPAN>Dear all,</SPAN></P><P>We would like to integrate our Checkpoint cluster with Azure AD.</P><P>At the time our client-based remote access vpn users are authenticated via on-premise AD.&nbsp;Client's version is&nbsp;E86.50. We would like to add O365 MFA to the vpn users. For this reason&nbsp; we have to integrate our Checkpoint cluster (6400 appliances, R81.10 version) with Azure AD in order to authenticate remote users. I read a similar case in the community but our on-premise AD and the Azure AD are not synchronized (we have different domains). Also the solution of SAML authentication is not suitable for us.</P><P>Is there any way to implement this scenario?</P><P>Thank you in advance for your answers.</P><P>Ioannis</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 03 Mar 2023 09:15:26 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/173475#M5403 ikokkoris 2023-03-03T09:15:26Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/173565#M5404 <P>If you do not want to do SAML, the only other option is to integrate with RADIUS.<BR />That means setting up a Network Policy Server:&nbsp;<A href="https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-radius" target="_blank">https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-radius</A><BR />It also means entering your fixed password plus your MFA number in the same password field.<BR />The SAML approach is much more user friendly.</P> Sat, 04 Mar 2023 00:19:33 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/173565#M5404 PhoneBoy 2023-03-04T00:19:33Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/173647#M5405 <P>Hello,</P><P>Thank you for the reply. My concern for the scenario about NPS, is the usage of different domains in local and Azure AD environments. Do you think that it can still work?</P> Mon, 06 Mar 2023 08:49:10 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/173647#M5405 ikokkoris 2023-03-06T08:49:10Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/173753#M5406 <P>Theoretically, you can set both up as authentication methods and use the Multiple Authentication Schemes.<BR />See: <A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Content/Topics-MABG/Multiple-Login-Options.htm" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Content/Topics-MABG/Multiple-Login-Options.htm</A>&nbsp;<BR />How this will work in practice is a separate question.</P> Mon, 06 Mar 2023 17:46:18 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/173753#M5406 PhoneBoy 2023-03-06T17:46:18Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/173770#M5407 <P>I had customer try that with different domains couple of years ago and we must have spent 10 + hours with TAC and MS support on it, without success. I want to be positive and tell you it would work, but Im also being brutally honest when I say its highly unlikely it will work. Just my feedback about it.</P> Mon, 06 Mar 2023 23:59:00 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/173770#M5407 the_rock 2023-03-06T23:59:00Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/173794#M5408 <P>Appreciate your answer. My first thought was to integrate Azure AD with CP cluster and then users authenticate (through vpn Client) with O365 credentials but I am not sure it works.</P> Tue, 07 Mar 2023 07:58:44 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/173794#M5408 ikokkoris 2023-03-07T07:58:44Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/173797#M5409 <P>I will try that and come back with feedback. Thanx</P> Tue, 07 Mar 2023 07:59:41 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/173797#M5409 ikokkoris 2023-03-07T07:59:41Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/174185#M5410 <P>I remember month ago that putting user/groups fetched from Azure AD object didn't worked. Is this fixed now?</P> <P>&nbsp;</P> <P>thank you</P> Thu, 09 Mar 2023 08:37:53 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Integration-with-Azure-AD-for-remote-access-VPN/m-p/174185#M5410 CheckPointerXL 2023-03-09T08:37:53Z