Solved: VPN client with sms MFA

AlainC · ‎2025-04-28

Hello,

I've MFA via Microsoft Authenticator setup for my VPN users. This works fine. Users get an extra window from the VPN client to insert their code and the connection is established.

Now I was testing the same process, but now with SMS as MFA. Strangely enough, the SMS is received on the smartphone, but an extra window from the VPN client, to insert the code from the sms, does not appear. I get wrong user or password.

FYI

I use a third party MFA solution and MS NPS.

My VPN client is v88.70

Any idea where to look (VPN client, MFA solution, NPS, Checkpoint firewall/vpn, etc...)?

AlainC · ‎2025-04-29

I was able to pinpoint the problem... a faulty return code received on the MFA server from our SMS gateway. Nothing to do with Checkpoint!

Thanks for the reactions!

View solution in original post

the_rock · ‎2025-04-28

What do logs show?

AlainC · ‎2025-04-29

Hello,

just been hanging 2 hours in a call with MFA soft provider, digging through logs. All seems fine here.

Can you specify which logs to check and where?

thanks

AlainC · ‎2025-04-29

still in the complete dark here... finding the root is a first step:

MFA soft (i don't think so)

NPS ( i don't think so)

SMS gateway

VPN

VPN client

the_rock · ‎2025-04-29

I meant smart console logs...

Andy

Duane_Toler · ‎2025-04-29

Is the gateway still using NPS as the RADIUS server, or a different RADIUS server? Check tcpdump (or cppcap) on the gateway for RADIUS connections (port 1812) to see if the RADIUS messages are being exchanged as you expect. If they are, then you need to run a VPN debug on the gateway and look in $FWDIR/log/vpnd.elg.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

AlainC · ‎2025-04-29

I was able to pinpoint the problem... a faulty return code received on the MFA server from our SMS gateway. Nothing to do with Checkpoint!

Thanks for the reactions!

the_rock · ‎2025-04-29

Good job!

Duane_Toler · ‎2025-04-29

Excellent! Good hunting!

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Duane_Toler · ‎2025-04-28

The 3rd party server needs to send a RADIUS Access-Challenge to the NPS server. If your 3rd party service isn't providing that, then the VPN client will never see that from the NPS server to present the extra login prompt.

With SMS (and voice/call), this usually doesn't work, as the two services are out-of-band of each other (the RADIUS server is effectively hanging while waiting on the 3rd party to respond).

If you believe it should be working, then you'll need to run a VPN debug on the gateway to watch the RADIUS session between the gateway and the NPS server.

For a quick debug, you can just do a "tcpdump -xXvv -nni <interface facing the RADIUS server> port 1812" and look at the RADIUS packet decode (access-accept and access-challenge is what you want to see). If the tcpdump isn't helpful, then you'll need a VPN debug.

Regardless, I wouldn't expect this work.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

AlainC · ‎2025-04-29

Hello,

the radius challenge/accept is sent when using MS authenticator. Why would the same process via SMS block somewhere?

Are you a member of CheckMates?

VPN client with sms MFA