topic Re: Check Point Mobile for Windows - Machine certificate before logon, IdP Azure after logon in SASE and Remote Access

Check Point Mobile for Windows - Machine certificate before logon, IdP Azure after logon

TimV — Thu, 23 Jun 2022 19:39:41 GMT

Hi all,

Here is what I want to get done :

Machine authentication before logon, (Pre logon)
After logon keep this connection alive (Post Logon)
Switch to User authentication with IdP Azure MFA.
And let's hope I can explain Azure to do MFA while "On-Prem" - other outgoing IP to 0365 for RemoteAccess?

So far I have made

Machine Authentication work via Certificate (ADCS) Pre- and Post-Logon.
Get User authentication work with MFA (with Pre-Machine Certficate Auth)

Now, the issue starts :

Either have Pre and Post Machine certificate (but not have MFA)
Issue is 'post-it' password on the PC = At theft they are on our network!
Either have Pre Machine and Post MFA, but with a gap between the post-logon moment and validating MFA.
Issue, as it's a gap in what we try to achieve, be always behind out protect solution.
No logon or proper AD auth at logon.

Or am I missing somewhere, a parameter or a trick to make the switch work as described.

It has been a long journey to get to this point, the last mile is seaming to be the biggest hurdle.

Ps, I'm interrested in your POV, but stick to the topic please.

Kind regards
Tim

Re: Check Point Mobile for Windows - Machine certificate before logon, IdP Azure after logon

PhoneBoy — Thu, 23 Jun 2022 21:10:16 GMT

Want to make sure I understand what you’re trying to achieve here:

You want a Remote Access VPN to be connected via Machine Certificate prior to Windows logon
After Windows login, you want to reconfirm with MFA from Azure AD to keep the VPN connection alive (presumably dropping said connection if the user fails MFA)

Am I understanding this correctly?
Not sure this is actually possible.

Re: Check Point Mobile for Windows - Machine certificate before logon, IdP Azure after logon

TimV — Fri, 24 Jun 2022 06:12:07 GMT

Hi,

Pre-logon part : absolutely correct.

Post-logon = Machine Certificate that switches over to User MFA.

The key piece is to keep a connection alive between post-logon and confirmation by User MFA.
This gap causes logon process to not complete succesfully, and only comes back after the User MFA has completed.

Re: Check Point Mobile for Windows - Machine certificate before logon, IdP Azure after logon

PhoneBoy — Wed, 29 Jun 2022 19:44:45 GMT

SAML Authentication can (currently) only be triggered after the user is logged in.
This is likely why Secure Domain Login and SAML authentication aren't supported together, which would be the ideal way to solve this issue.
I'm guessing when the request for SAML authentication is triggered, the existing VPN connection is killed.

Given the above, I'm kinda surprised it works the way you describe it.
Getting it to work in the desired manner is probably an RFE you should raise with the local Check Point office.