Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
rapsodiaverde
Explorer

MFA Azure disabling Capsule

Hello,

I configured MFA with Azure on a customer network to be able to authenticate VPN connections from the remote users.

As I know, there is no option to configure Capsule VPN with MFA Azure, so I decided to disable Capsule as a method in the VPN settings and only allow Endpoint Security to enforce users to only use Azure MFA.

 

But there's is 1 device from the CEO (an IPAD) that it's mandatory that can be able to connect to the VPN.

So there is a way to enable Capsule but only 1 user or 1 device be able to authenticate?
Or exists some method to integrate Capsule with MFA Azure?

The only solution that I found is to deactivate all methods except Endpoint Security and Capsule for IOS.

Thank you

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

I assume you mean MFA with Azure AD.
This is currently not supported on Capsule Connect for iOS.

While you cannot prevent any user from authenticating to the VPN with Capsule Connect, you can prevent users who do authenticate from actually connecting to anything.
This ultimately involves creating two Access Roles:

  • One for the CEO (only) connecting via Capsule Connect
  • One for everyone else connecting via Capsule Connect

In your rulebase, you'll end up creating two rules: One that allows the CEO to connect to the relevant resources, and another that denies all access from other users.
See the following on creating Access Roles: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_IdentityAwareness_AdminGuide... 

Note that you will need to enable Identity Awareness if it's not enabled already and enable Remote Access as one of the Identity Sources (not enabled by default).

0 Kudos