Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Duo with Remote Access VPN (Client)

Jump to solution

Hi, 

 

Is Duo + check Point integration support Remote Access VPN Client? 

according to the integration guide it supports only " Check Point Mobile Access"

https://duo.com/docs/checkpoint#configure-your-check-point-mobile-access-vpn 

I want to make sure it is supported or someone has experience with it before I start POC

 

1 Solution

Accepted Solutions
Highlighted
Employee+
Employee+

It is supported.  Just completed a test recently if you need help with configuration. 

View solution in original post

13 Replies
Highlighted
Employee+
Employee+

It is supported.  Just completed a test recently if you need help with configuration. 

View solution in original post

Highlighted
Thanks Jeff, Is the documentation valid or some tweaks are needed?
0 Kudos
Highlighted
Employee+
Employee+

When integrating with the full client it is actually much simpler.  Simply define the auth method as Radius under VPN Clients > Authentication.

Duo handles the AD auth and the 2FA prompt assuming you are using their proxy.

You do not need to use any of the Mobile Access specific instructions mentioned.

Pro tip, do not use spaces in the RADIUS object name.  🙂

Hope this helps!

0 Kudos
Highlighted
Nickel
hi, Shahar
We made a pair of DUO integrations with CheckPoint and it works exactly as the documentation says. The only cosideration I can name is that in a cluster scenario the radius requests arrived with real ip of active member to the DUO auth proxy, of course we tried with cluster virtual ip first but did not work, after a debug at DUO side we saw the behavior mentioned, so we had to use two radius_ip for both members IP's, tested with many failovers and worked fine. HTH
Highlighted

I am having a bear of a time setting this up, any tips would help. I just can't get the duo push to happen. 

My goal is to primary auth the user with LDAP then second auth with a duo push. Although the confusing part is there is RADIUS configuration required, even though I only want to use LDAP. Not sure I understand why but any configuration examples would be helpful!! 

Here is mine today:

 

[ad_client]
host=1.2.3.4 (AD server IP)
service_account_username=ad-admin
service_account_password=ad-admin-password
search_dn=DC=domain,DC=com
security_group_dn="CN=Duo Checkpoint VPN,OU=Groups,DC=domain,DC=com"

[radius_server_auto]
ikey=ikey_from_duo_console
skey=skey_from_duo_console
api_host=api-123456789.duosecurity.com
radius_ip_1=checkpoint_gw1
radius_ip_2=checkpoint_gw2
radius_secret_1=secret1
radius_secret_2=secret2
client=ad_client
port=1812
failmode=secure

Highlighted
Employee+
Employee+

Hi @Tim_McColgan

Please share screenshots of your Radius server object and VPN Clients > Authentication settings...I tried to send my setup but they didn't come through.  See my attachments...

Also make sure you have usernames in Duo that match your AD users.

 
0 Kudos
Highlighted

@Jeff_Engel Attached are my screenshots. I actually had a little different configuration in the VPN - authentication settings. But I corrected to match yours. 

Also confirmed user names in checkpoint match the user name in AD. 

0 Kudos
Highlighted
Employee+
Employee+

Thanks Tim.  The only thing that I have set differently in my authproxy.cfg is my failmode is set to 'safe'.  I would also run tcpdump on the active gateway(if in a cluster) and make sure you see the RADIUS request being made and being responded to by the Duo Proxy server.

Highlighted

@Jeff_Engel thank you. 

 

I ended up started from scratch and was getting ldap lookup errors in the duo proxy log. 

I made the assumption that since my AD lookup was using a group name with spaces, i.e. Duo Checkpoint Users, that I put the group in quotes in the authproxy config file such as:

 

security_group_dn=CN="Duo Checkpoint Users,OU=Groups,DC=example,DC=com"

 

On a whim, I removed the double quotes and it worked!!

 

security_group_dn=CN=Duo Checkpoint Users,OU=Groups,DC=example,DC=com

 

0 Kudos
Highlighted
Employee+
Employee+

@Tim_McColgan Great to hear!

Highlighted

I wanted to reach out since this was just 2 months ago. I am working on this exact setup and my setup appears to be the same as yours. We are running R80.30 and the most up to date Mobile Access client. Duo proxy is on its own internal Server 2016 in the same VLAN as our AD server. Password changes worked before implementing Duo RADIUS but now running into issues.

We cannot get password changes to go through ever since setting up Duo Radius. Are you able to change passwords over VPN with your setup? I am working with support and have a TAC case open but not having luck getting it working.

 

Any information would be helpful.

Highlighted

@CP_Coldspring 

Hello, I will be honest we have not come across changing passwords over VPN - my guess is we will run into this eventually. However at this time I only have about a dozen users utilizing DUO for Checkpoint VPN as we are continuing to test. 

As of today users just change their passwords when they login to their machine when they are in the office and on the LAN (yes we are back in the office). I am assuming you are fully remote at this time. However, we are not. 

Highlighted

We are also back in the office for the most part. However we have sales staff based from their homes across the US which is where it came up from. We currently only have a small test group (mainly IT) enrolled in Duo. However since it is now used as the RADIUS server to authenticate all VPN users they are unable to change a password when connected to the VPN so we have had to instruct them to reconnect to the Cisco VPN client to change their passwords.