topic Re: 2FA with SMB 1500 (R80.20.30) in SASE and Remote Access

2FA with SMB 1500 (R80.20.30)

SaxMan — Mon, 16 Aug 2021 09:34:04 GMT

Hi,
Are there any "workarounds"/solution(s) for the following scenario?
Appliance: SMB 1550 with R80.20.30.
On-premise 2FA Appliance (based on FreeRadius)
Issue:
We've successfully integrated 2FA/Radius appliance with AD and it "pulls" through the relevant VPN users group via FilterID.
When we have Radius/2FA server defined as the ONLY Authentication Server, the VPN users successfully authenticate with OTP.
Once we add the AD server, 2FA does not work. (even if we create a dummy AD group for the 1550 to read)
We do, however, need the AD server for building specific rules in the Access Policy.

Any suggestions/advice would be greatly appreciated.

Thanks.

Re: 2FA with SMB 1500 (R80.20.30)

G_W_Albrecht — Mon, 16 Aug 2021 09:52:51 GMT

sk137732 ?

Re: 2FA with SMB 1500 (R80.20.30)

SaxMan — Mon, 16 Aug 2021 11:52:52 GMT

Thanks a million.
Yip.
Read through that doc/SK - I just thought there might be a chance of someone on the community successfully implementing it (with AD, of course)
The 2FA solution works with other SMB brands(with AD + Radius) so we're trying to compete with our CheckPoint POV/POCs.
Thank you for the prompt feedback.

Re: 2FA with SMB 1500 (R80.20.30)

PhoneBoy — Mon, 16 Aug 2021 15:29:57 GMT

But sk137732 is for locally managed SMB and you’re talking about using Access Roles in rules.
Is this a centrally managed SMB?

Re: 2FA with SMB 1500 (R80.20.30)

SaxMan — Mon, 16 Aug 2021 19:01:16 GMT

Hi,
Thanks for the response.

Locally managed 1500.
My original post should've read:
On the 1500 we want to use AD to define rules under Access Policy -> Policy
(example: Outgoing - Source: (AD Group)marketing -> Dest:internet -> Service:Facebook Business -> Action: accept -> Log)

The Radius server will sync with AD and filter out the VPN users and do the 2FA
So ideally, have both AD and Radius configured under Authentication Servers
(right now we have to remove AD from the Auth Servers list, and then 2FA works 100%)

I hope this makes sense?

Thanks.

Re: 2FA with SMB 1500 (R80.20.30)

PhoneBoy — Mon, 16 Aug 2021 20:21:59 GMT

Yes, it makes sense, therefore it seems sk137732 would apply.

Re: 2FA with SMB 1500 (R80.20.30)

SaxMan — Mon, 16 Aug 2021 20:44:14 GMT

Great stuff.
Thanks.

So, here's the Million Dollar question: 😀
Any chance that there might be a solution/enhancement on a roadmap soon?