topic Two RADIUS server for VPN authentication in SASE and Remote Access

Two RADIUS server for VPN authentication

petermatuska — Wed, 19 Aug 2020 13:27:37 GMT

Hi,

I want to use Cisco ISE as a central point of authentication for users, so I need to configure check point in such a way that it sends two radius request to ISE. First request should have username/password - ISE will send it to the AD for the 1st authentication. The second request should have username/token so it is sent to Duo for 2nd authentication.

I believe the only way how to do it is to leverage multiple login options so the VPN client presents two windows to users. I tried to setup two authentication factors on a gateway but it said that only one RADIUS server is allowed. Is it possible to somehow bypass this rule?

thank you

Re: Two RADIUS server for VPN authentication

Norbert_Bohusch — Wed, 19 Aug 2020 13:50:15 GMT

Radius is based on challenge response, so configuring it one time is enough.

- First you enter username/password

- Check Point sends both to radius server (ISE)

- ISE matches username/password and asks for a challenge because of 2nd factor

- Check Point receives challenge and requests input of token

- Token is sent to ISE which issues a access-accept back if it is matching

Re: Two RADIUS server for VPN authentication

petermatuska — Wed, 19 Aug 2020 14:02:12 GMT

Hi Norbert,

I am not quite sure whether I can configure ISE to request check point for the 2nd factor if 1st factor is successful.