cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Checkpoint VPN with Microsoft 2-Factor Authentication

Hello everyone

I would like to share with you how I managed to get VPN users to use Microsoft Azure Multi-Factor Authentication.

I saw in some posts that this was possible by using MFA Server, but Microsoft stopped offering MFA Server on July 1, 2019.


What I needed to do:

1 - Office 365 users with MFA enabled.

2 - Dedicated NPS Server.
All Radius requests made to this server will have MFA directed to Microsoft.

3 - NPS extension for Azure MFA
This extension will direct your MFA requests to Microsoft.
You can find the installation and download instructions at the link below.

https://docs.microsoft.com/pt-br/azure/active-directory/authentication/howto-mfa-nps-extension#sync-...

The user can define which method will be used in the Microsoft portal.

I tested the methods below on VPN Clients, Mobile Access and Capsule Workspace and they all worked perfectly.

- Notification through mobile app
- Verification code from mobile app
- Text message to phone

I hope this post helps you

Good luck

15 Replies
Martins
Iron

Re: Checkpoint VPN with Microsoft 2-Factor Authentication

Excellent!!!! Thank you for share.

0 Kudos
Ave_Joe
Nickel

Re: Checkpoint VPN with Microsoft 2-Factor Authentication

Thanks for sharing.

Was any testing completed with 'Secondary Connect' in this configuration?

Just curious how it worked if tested.

0 Kudos

Re: Checkpoint VPN with Microsoft 2-Factor Authentication

We currently use the Dynamic ID.
I created a new profile for testing Microsoft MFA.
When the user will connect he can choose which one to use.
After the tests we will keep only one.

Re: Checkpoint VPN with Microsoft 2-Factor Authentication

Hello Rodrigo


As concerns Management server configuration for 2FA, can you please share it with us?

 

BR,

Kostas

Re: Checkpoint VPN with Microsoft 2-Factor Authentication

 

You need to direct authentication to the Radius server.

 

1.png

 

2.png

 

You will need a Radius server with NPS extension for Azure MFA installed.

Remember that all requests to this Radius server will have MFA requests.

 

3.png

This setting is the same for Mobile Access.

Highlighted
Jason_Dance
Copper

Re: Checkpoint VPN with Microsoft 2-Factor Authentication

You may need to extend the RADIUS timeouts to allow for slower RADIUS responses because the end user needs extra time to satisfy the MFA response.  SK112933 covers the configuration changes needed on the Management server, including the trac_client_1.ttm file used by the Endpoint suite clients.

Note that if you need to change the trac_client_1 file, you can set it in fwrl.conf  to push it from management onto the gateways each time a policy is installed.  Let me know if you need the specifics and I'll drop it into this post.

 

 

Admin
Admin

Re: Checkpoint VPN with Microsoft 2-Factor Authentication

Thanks for sharing this.
Moving it to the Remote Access space.
jcavet
Ivory

Re: Checkpoint VPN with Microsoft 2-Factor Authentication

Great info Rodrigo, did you have to do any specific configuration on the NPS server outside of getting the extension?

I've gotten a new AU configured with using Radius and cannot get a prompt for an MFA code.

0 Kudos

Re: Checkpoint VPN with Microsoft 2-Factor Authentication

Make sure you don't have any punctuation or special characters in your Radius Shared Secret.

A single ' caused my configuration to break. The NPS server was authenticating the user but then failing to pass the information back to the gateway.

My working configuration is:

RADIUS server object in Checkpoint Smart Console - configured for Radius Version 2.0 and MS_CHAP2

NPS server with Network Policy to Grant Access to AD User groups using matching Authentication Method.

On NPS Server you can see the authentication events in Event Viewer under Custom Views\Server Roles\Network Policy and Access Services

 

0 Kudos

Re: Checkpoint VPN with Microsoft 2-Factor Authentication

Everything I needed to configure the NPS server I found on the link https://docs.microsoft.com/pt-br/azure/active-directory/authentication/howto-mfa-nps-extension#sync-...
0 Kudos
Employee++
Employee++

Re: Checkpoint VPN with Microsoft 2-Factor Authentication

 

 

Very helpful, thanks for sharing!

 

(Refer also sk114263)

0 Kudos

Re: Checkpoint VPN with Microsoft 2-Factor Authentication

Configuring an External User Profile (generic*) with Radius authentication on SmartDashboard is  still needed for this, right??

 

0 Kudos
Tux234
Ivory

Re: Checkpoint VPN with Microsoft 2-Factor Authentication

Thanks for the documentation, could you say what you did on CheckPoint's side to make this work. We have been struggling the last few weeks to make this work, and haven't made any headway. I've configured the RADIUS server with the NPS extension, and we've setup RADIUS authentication on the gateway, but we keep getting a username/password error. Is there another way to set this up that will allow it to work? Would you mind sharing what your working setup looks like? We've been banging our head against the wall the last few weeks, and as you can tell it's starting to show. Appreciate any help that you can give.

0 Kudos

Re: Checkpoint VPN with Microsoft 2-Factor Authentication

We cant get mobile app notification method to work!

Verification code and SMS to phone work fine!

Any ideas?

0 Kudos
AZ-Joe
Ivory

Re: Checkpoint VPN with Microsoft 2-Factor Authentication

Can you post steps for configuring for SMS to phone or Verification code?  I've been struggling to get this to work at all!

0 Kudos