Re: Azure MFA with SMS R81 - would that work & get...

Jerry · ‎2021-02-11

hi guys, quite challenging one.

1. got CP customer who has 2 scenarios and paths he'd like to go through but eventually is in favour of one - no NPS

2. they want to give CP EPS VPN Clients MFA from Azure but either bypassing NPS (Radius and AD Azure Connector) or simply giving them OTP/AUTH via MFA (Azure MS Authenticator SoftToken App) directly from the MS Cloud. Would that even work as if SMS has SAML capabilities?

3. SAML 2.0 with API/SMS R81 - doable or not yet an option? and if not then AZURE-NPS-AzureConnector-SMS is the only path as described already by many here?

Thanks for the contribution in advance. Client is quite big and their DC has potentially 15.000 EPS users by the end of this year so the scope is huge hence the use of EPS with MFA seems a key query from them knowing that NPS might be either overhead or unnecessary "man in the middle" scenario. Not necessary but at this moment of time essential and recommended am I wrong?

Cheers

Jerry

JackPrendergast · ‎2021-02-11

Hi Jerry,

Maybe not the complete answer you are looking for but to give you an example of a situation I have.

I have done an RA deployment with a customer with around 1000+ endpoints.

They connect and login via their AD credentials, which then prompts the Microsoft Authenticator app to pop up and approve, providing the 2 factor.

This 2nd factor to provide the authenticator app notification is using the Azure RADIUS server.

This works perfectly and probably one of the best RA authentications I have seen in terms of simplicity.

Jerry · ‎2021-02-11

excellent so that is the solution No.1 I've mentioned (Azure-NPS-AD-SMS-VPNfw-Endpoint). I totally get it but my customer is keen to bypass NPS hence my concerns.

They'd do anything to avoid RADIUS in between and my wonder was whether SMS will finally talk "SAML/SSO" with Azure AD at some point. The legacy way you've explained is known and indeed one of those "working one" in the industry but that I knew before asking so I'm not surprised it works in your case too. It does work in many environments but I'm after more "simplistic" way of the scenario where SMS talks DIRECTLY to the Azure SAML (MFA resource) not to the local RADIUS which then over the Azure Connector talks to Azure.

Cheers

Jerry

JackPrendergast · ‎2021-02-11

Hi Jerry.

I understand your situation now.

Makes sense and your feature request sounds interesting! I wonder if CP will support this

G_W_Albrecht · ‎2021-02-11

I would suggest to speak to your local CP SE - the potential sales value should help to get that cleared out quickly 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Jerry · ‎2021-02-11

that would be difficult 🙂 but there is one guys from CP PS who is actively contributing to that Customer's infrastructure and design so I'll talk to him when I have a chance.

Money is not always so called "show stopper" the problem is that SMS does not talk SAML to Azure (Cloud). Don't think we're the only one asking for it now but neither I'm sure R&D would help. Prove me wrong guys 😛

Jerry

JanVC · ‎2021-02-11

I've seen the exact same usecase demo'd by Peter Elmer in a youtube video

caveat, R80.40 with a custom hotfix

Jerry · ‎2021-02-11

URL? 🙂

Jerry

JanVC · ‎2021-02-11

private playlist, so not sure if I'm allowed to share it

maybe @PhoneBoy can clarify that

Jerry · ‎2021-02-11

oh if that's the case indeed Dameon would be knowledgeable definitely 🙂

Jerry

PhoneBoy · ‎2021-02-11

TL;DR: coming soon.

We are adding the ability to authenticate on the VPN client via SAML in the near future.
It will first launch in the R80.40 JHF followed later by the R81 JHF.
If you need this NOW, we have a customer release for R80.40 that can be obtained from the local Check Point office.
It requires a specific JHF level and client currently.
There was a demo of this at our Sales Kick Off.
Not sure if we will demo it at the upcoming CPX.

Jerry · ‎2021-02-11

awesome! can I count on you to follow up and are there any chances we could chat about it? please ping me on WA when you have a moment.

Cheers!

Jerry

PhoneBoy · ‎2021-02-11

Reach out anytime, my friend 🙂

Leandro_RD · ‎2021-06-23

Hi, this sk SK172909 would help.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

"SAML authentication in Remote Access VPN clients"

biskit · ‎2022-05-02

In my experience SK172909 is most of the picture, but not all. Hopefully that SK will get updated, but just in case, check this link for the critical missing bits to get this working - Solved: Re: Access Role not working? - Check Point CheckMates

Are you a member of CheckMates?

Azure MFA with SMS R81 - would that work & get R&D recommendation?