topic Re: MFA for some VPN users in SASE and Remote Access

MFA for some VPN users

Oryx — Fri, 11 Feb 2022 14:21:42 GMT

Hi,

We've enabled MFA with SMS provider in the Remote Access VPN of one of our end customers. Everything is working fine, but our customer wants to know if it is possible to disable the MFA for a particular User or a particular Group of Users.

Our users are internal on the Check Point Gateways, so we don't have an Active Directory server to validate the users credentials. We have the MFA configured with Username and Password + SMS Provider for all the internal users. We would like to have a particular user (Failsafe user, if the SMS Provider fails) without MFA. Is it possible?

Thanks in advance for your help.

Regards

Re: MFA for some VPN users

the_rock — Fri, 11 Feb 2022 16:26:57 GMT

If you are not using AD to validate users and they are all local, sounds like the only way to do this would be to modify the individual user by modifying auth method once you edit the user in dashboard.

Re: MFA for some VPN users

Oryx — Fri, 11 Feb 2022 16:47:44 GMT

Hi the_rock,

But how can I differentiate the users that will require MFA on the VPN from users that will not need that with the auth method?

I'm not following when you say that I can achieve this with auth method.

Regards

Re: MFA for some VPN users

the_rock — Fri, 11 Feb 2022 16:57:51 GMT

No problem, Im simply referring to below when you edit the user in smart console.

Re: MFA for some VPN users

Oryx — Fri, 11 Feb 2022 17:18:27 GMT

Hi @the_rock

I know the place of the configuration on the Smart Console.

But I think that will still not help me to achieve what the end customer wants. So, let says that we have User_A and User_B, both of them local within the Gateways and with priviledges to login on the Remote Access VPN. Then, I want that the User_A only can connect on the VPN with his credentials (Username and Password) on the Authentication Profile with MFA, but not on the Authentication Profile without MFA. Also, I want that the User_B can connect in both of the Authentication Profiles with or without MFA.

I hope I explained better what we need. And sorry If I was not clear on the first place.

Regards

Re: MFA for some VPN users

the_rock — Fri, 11 Feb 2022 17:48:35 GMT

Message me privately, lets do remote session.

Re: MFA for some VPN users

the_rock — Fri, 11 Feb 2022 18:01:53 GMT

If you are referring to below setting, that has to be changed manually, UNLESS you use just one generic auth method on gateway

Re: MFA for some VPN users

Oryx — Sat, 12 Feb 2022 09:43:26 GMT

Hi @the_rock

That is exactly what I'm talking about. So, at the end of the day, the end users will always have the possibility to change that option, because we've two possible options for the authentication (Username/Password only, Username/Password + SMS).

As far as I known, I cannot disable that option in the VPN client of the end users. Also, I cannot avoid centrally that a end user successfully login in both authentication schemes.

Regards

Re: MFA for some VPN users

the_rock — Sat, 12 Feb 2022 12:32:32 GMT

Correct, Im pretty sure you cannot do that, unless you use one generic auth method, in which case users wont have a choice. There might be some way of doing this by modifying trac.defaults file, but I would confirm with TAC, to be certain.

Andy