topic Re: VPN Remote access multiple authentication in SASE and Remote Access

VPN Remote access multiple authentication

ggiordano — Wed, 26 Oct 2022 09:20:09 GMT

Hi mates

in some customers I have multiple authentication for the remote access vpn connection (client & mobile access unified).

normally the authentication is based on external LDAP servers and they need for discriminating internal users (SAML MFA) from external users (username/password + OTP).

The remote users have the decision which authentication method choose and it means the users could another authentication method and authenticate successfully

let me go in an example

users1 needs to connect to VPN (client or Mobile access)

users1 is internal user so he knows the authentication method must be the one defined for internal users (SAML MFA)

users1 is able to authenticate by the authentication method for external users as well.

I'd like to enforce some check where if internal user is trying to use the authentication method for external users, the authentication fails because the internal user is not entitle for that authentication method.

in other words, I'd like to assign the authentication method per LDAP users or LDAP user groups

do anyone know if it's possible?

Re: VPN Remote access multiple authentication

PhoneBoy — Wed, 26 Oct 2022 18:43:50 GMT

Have you defined a single LDAP branch or do you have multiple LDAP branches defined on the Check Point side (one for internal users and one for external third parties)?
Because that will be required to set a different authentication scheme for different groups in AD.
This is configured in the gateway object under VPN Clients > Authentication > Multiple Authentication Client Settings.
In each setting, you specify the LDAP Branch the authentication type applies to.

Re: VPN Remote access multiple authentication

the_rock — Wed, 26 Oct 2022 20:42:37 GMT

I read what phoneboy responded and it makes total sense to me. Im not sure if there is a different way to achieve what you are looking for.

Re: VPN Remote access multiple authentication

ggiordano — Mon, 07 Nov 2022 12:24:22 GMT

I cannot define different authentication method based on your advise.

the problem is you can specify the LDAP Account unit and not the user group.

in addition the ldap account unit must unique for the same domain, otherwise you will have warning about multiple account unit refers to the same domain.