This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AlainC
Contributor
‎2025-04-28 04:47 AM
Jump to solution

VPN client with sms MFA

Hello,

 

I've MFA via Microsoft Authenticator setup for my VPN users. This works fine. Users get an extra window from the VPN client to insert their code and the connection is established. 

Now I was testing the same process, but now with SMS as MFA. Strangely enough, the SMS is received on the smartphone, but an extra window from the VPN client, to insert the code from the sms, does not appear. I get wrong user or password.

FYI

I use a third party MFA solution and MS NPS.

My VPN client is v88.70

 

Any idea where to look (VPN client, MFA solution, NPS, Checkpoint firewall/vpn, etc...)? 

0 Kudos
1 Solution

Accepted Solutions
AlainC
Contributor
‎2025-04-29 08:46 AM
In response to Duane_Toler
Jump to solution

I was able to pinpoint the problem... a faulty return code received on the MFA server from our SMS gateway. Nothing to do with Checkpoint! 

Thanks for the reactions!

View solution in original post

10 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-04-28 05:24 AM
Jump to solution

What do logs show?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
AlainC
Contributor
‎2025-04-29 06:02 AM
In response to the_rock
Jump to solution

Hello,

just been hanging 2 hours in a call with MFA soft provider, digging through logs. All seems fine here.

Can you specify which logs to check and where?

thanks

 

0 Kudos
AlainC
Contributor
‎2025-04-29 06:05 AM
In response to AlainC
Jump to solution

still in the complete dark here... finding the root is a first step:

MFA soft (i don't think so)

NPS ( i don't think so)

SMS gateway

VPN

VPN client

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-04-29 06:12 AM
In response to AlainC
Jump to solution

I meant smart console logs...

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-04-29 06:15 AM
In response to AlainC
Jump to solution

Is the gateway still using NPS as the RADIUS server, or a different RADIUS server?  Check tcpdump (or cppcap) on the gateway for RADIUS connections (port 1812) to see if the RADIUS messages are being exchanged as you expect.  If they are, then you need to run a VPN debug on the gateway and look in $FWDIR/log/vpnd.elg.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
AlainC
Contributor
‎2025-04-29 08:46 AM
In response to Duane_Toler
Jump to solution

I was able to pinpoint the problem... a faulty return code received on the MFA server from our SMS gateway. Nothing to do with Checkpoint! 

Thanks for the reactions!

the_rock
MVP Diamond
MVP Diamond
‎2025-04-29 08:49 AM
In response to AlainC
Jump to solution

Good job!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-04-29 08:57 AM
In response to AlainC
Jump to solution

Excellent! Good hunting!

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-04-28 04:18 PM
Jump to solution

The 3rd party server needs to send a RADIUS Access-Challenge to the NPS server.  If your 3rd party service isn't providing that, then the VPN client will never see that from the NPS server to present the extra login prompt.

With SMS (and voice/call), this usually doesn't work, as the two services are out-of-band of each other (the RADIUS server is effectively hanging while waiting on the 3rd party to respond).

If you believe it should be working, then you'll need to run a VPN debug on the gateway to watch the RADIUS session between the gateway and the NPS server.

For a quick debug, you can just do a "tcpdump -xXvv -nni <interface facing the RADIUS server> port 1812" and look at the RADIUS packet decode (access-accept and access-challenge is what you want to see).  If the tcpdump isn't helpful, then you'll need a VPN debug.

Regardless, I wouldn't expect this work.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
AlainC
Contributor
‎2025-04-29 06:03 AM
In response to Duane_Toler
Jump to solution

Hello,

the radius challenge/accept is sent when using MS authenticator. Why would the same process via SMS block somewhere?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events