This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
‎2025-04-07 03:22 AM

Approve MS smartphone delay RADIUS

hello everyone, we are experiencing a problem with ms authentication on smartphone is taking about 20 seconds to do the approve... it used to take about 5 seconds, is there something checkpoint side we can check?
the vpngw is running R81.20 JH53

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2025-04-07 08:47 AM

What's the actual authentication flow here where this step is required?
Have you checked with tcpdump to see which end is causing the delay?

0 Kudos
RemoteUser
Advisor
‎2025-04-07 09:13 AM
In response to PhoneBoy

 

The VPN client request to Radius client 
Radius request to Primary AUthN (active directory)
And then to Multi-Factor Auth reuqest

CKP > NPS > AAD

How can i capture traffic, personally i've the same issue but if i disconnect from the vpn checkpoint i lost the session

0 Kudos
PhoneBoy
Admin
Admin
‎2025-04-07 10:32 AM
In response to RemoteUser

This would most likely have to be captured on the gateway while you (or an affected user) are connecting via a VPN client.
It's also not clear where the MFA is coming from...is it a different authentication method you've configured?

0 Kudos
RemoteUser
Advisor
‎2025-04-07 11:21 AM
In response to PhoneBoy

Azure MFA and Check Point VPN. The connections it's with Azure AD and the NPS extension for Azure MFA
if i want to collect tcpdumps myself how can i do it? if i disconnect to replicate the problem i also lose connectivity....

0 Kudos
PhoneBoy
Admin
Admin
‎2025-04-07 11:30 AM
In response to RemoteUser

Please provide a screenshot of this portion of the relevant gateway/cluster object so I can understand how you have this configured on the Check Point side.
In general, if you're doing MFA with Azure AD, you should be using SAML instead of RADIUS.

image.png

0 Kudos
RemoteUser
Advisor
‎2025-04-07 11:47 AM
In response to PhoneBoy

certificate.png

0 Kudos
PhoneBoy
Admin
Admin
‎2025-04-07 12:52 PM
In response to RemoteUser

Does Identity Provider refer to Azure AD?
Curious why you're doing RADIUS as a separate step here.

0 Kudos
Ruan_Kotze
MVP Gold
MVP Gold
‎2025-04-07 10:51 PM
In response to RemoteUser

Some unsolicited advice - seeing as you're already integrated with Entra (based on Identity Provider Entry) I would look to move away from Radius auth and its dependencies and move to straight SAML auth if at all possible.

0 Kudos
RemoteUser
Advisor
‎2025-04-07 11:39 PM
In response to Ruan_Kotze

Why? if you don't mind me asking.

0 Kudos
Ruan_Kotze
MVP Gold
MVP Gold
‎2025-04-07 11:49 PM
In response to RemoteUser

Don't mind at all.

  1. It's "cleaner".
  2. From an identity security perspective, we can pull in what Microsoft brings to the table in terms of conditional access, risk-based sign ins, impossible travel etc.
  3. We can do number matching as opposed to just approvals
  4. We can now Geo-restrict logins using conditional access policies, something that has been a big pain on check Point traditionally (for me at least).
  5. Integration works better in terms of access roles etc., no need for legacy objects
  6. We have the option to force 2nd factor every auth, or re-use existing session tokens for a seamless experience

That's off the top of my head, sure I'll be able to put down more if I think about it.  Of course every environment and use case is different, but the above has been true for us.

-Ruan

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events