topic Remote access using Active Directory with Radius/Duo authentication in SASE and Remote Access

Remote access using Active Directory with Radius/Duo authentication

anishtholath — Wed, 23 Jun 2021 11:04:38 GMT

Hi,

I would like to know how we can enable remote access VPNs for all the users configured on our AD server. The users should be able to authenticate using the Duo/Radius server we have already in place.

Current setup as below: -

1. Create the User on smartconsole and configure authentication as Duo

2. Create Duo accounts

3. User login to their endpoint security client using AD credentials, receives a Duo push and authneticate themselves and connect the VPN

We want it to change so that the VPN user creation on the smartconsole is not required. Every new user in the AD should have the remote access VPN with duo authentication enabled.

Anish

Re: Remote access using Active Directory with Radius/Duo authentication

PhoneBoy — Fri, 25 Jun 2021 21:50:51 GMT

What you need to create is an External User Profile.
Which isn't obvious because SmartConsole does not have this option.
It needs to be done with the legacy SmartDashboard client as described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114797

Re: Remote access using Active Directory with Radius/Duo authentication

the_rock — Sat, 26 Jun 2021 01:31:30 GMT

Pretty simple. All you have to do is make sure that under gateway properties, vpn office mode, authentication -> and then under settings there, choose radius and select radius server you configured. As long as your radius communicates fine with the gateway, thats all you really need. Now, there is a document for radius auth with vpn clients (attached here). Phoneboy is correct as far as external user profile, but I can tell you that I never had to do that myself for Radius auth and worked fine every time. Message me privately if you wish and happy to do remote session to show you.

Re: Remote access using Active Directory with Radius/Duo authentication

anishtholath — Thu, 08 Jul 2021 14:45:43 GMT

Hi ,

Is there a detailed documentation on how to do this? What am i supposed to do with the external user profile?

Re: Remote access using Active Directory with Radius/Duo authentication

anishtholath — Thu, 08 Jul 2021 14:46:55 GMT

Hi, we already have radius configured which we are using to authenticate the vpn clients. what i want is to remove the necessity of creating the users on the firewall and instead let all the AD users connect using vpn clients and authenticate using duo/radius.

Re: Remote access using Active Directory with Radius/Duo authentication

Institut_fuer_R — Thu, 08 Jul 2021 14:51:46 GMT

Did you set duo up to have your AD users in correctly?

https://duo.com/docs/checkpoint

Because what you are describing is how it just usually works, if you follow that explication.