This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jerry
Leader
Leader
‎2021-02-11 03:16 AM

Azure MFA with SMS R81 - would that work & get R&D recommendation?

hi guys, quite challenging one.

 

1. got CP customer who has 2 scenarios and paths he'd like to go through but eventually is in favour of one - no NPS

2. they want to give CP EPS VPN Clients MFA from Azure but either bypassing NPS (Radius and AD Azure Connector) or simply giving them OTP/AUTH via MFA (Azure MS Authenticator SoftToken App) directly from the MS Cloud. Would that even work as if SMS has SAML capabilities?

3. SAML 2.0 with API/SMS R81 - doable or not yet an option? and if not then AZURE-NPS-AzureConnector-SMS is the only path as described already by many here?

 

Thanks for the contribution in advance. Client is quite big and their DC has potentially 15.000 EPS users by the end of this year so the scope is huge hence the use of EPS with MFA seems a key query from them knowing that NPS might be either overhead or unnecessary "man in the middle" scenario. Not necessary but at this moment of time essential and recommended am I wrong?

 

Cheers 

Jerry
14 Replies
JackPrendergast
Collaborator
‎2021-02-11 04:59 AM

Hi Jerry,

 

Maybe not the complete answer you are looking for but to give you an example of a situation I have.

 

I have done an RA deployment with a customer with around 1000+ endpoints.

 

They connect and login via their AD credentials, which then prompts the Microsoft Authenticator app to pop up and approve, providing the 2 factor.

 

This 2nd factor to provide the authenticator app notification is using the Azure RADIUS server.

This works perfectly and probably one of the best RA authentications I have seen in terms of simplicity.

0 Kudos
Jerry
Leader
Leader
‎2021-02-11 05:23 AM
In response to JackPrendergast

excellent so that is the solution No.1 I've mentioned (Azure-NPS-AD-SMS-VPNfw-Endpoint). I totally get it but my customer is keen to bypass NPS hence my concerns.

They'd do anything to avoid RADIUS in between and my wonder was whether SMS will finally talk "SAML/SSO" with Azure AD at some point. The legacy way you've explained is known and indeed one of those "working one" in the industry but that I knew before asking so I'm not surprised it works in your case too. It does work in many environments but I'm after more "simplistic" way of the scenario where SMS talks DIRECTLY to the Azure SAML (MFA resource) not to the local RADIUS which then over the Azure Connector talks to Azure.

 

Cheers

Jerry
JackPrendergast
Collaborator
‎2021-02-11 05:51 AM
In response to Jerry

Hi Jerry.

 

I understand your situation now.

 

Makes sense and your feature request sounds interesting! I wonder if CP will support this

0 Kudos
G_W_Albrecht
Legend
Legend
‎2021-02-11 07:27 AM

I would suggest to speak to your local CP SE - the potential sales value should help to get that cleared out quickly 😎

CCSE CCTE SMB Specialist
0 Kudos
Jerry
Leader
Leader
‎2021-02-11 07:30 AM
In response to G_W_Albrecht

that would be difficult 🙂 but there is one guys from CP PS who is actively contributing to that Customer's infrastructure and design so I'll talk to him when I have a chance.

Money is not always so called "show stopper" the problem is that SMS does not talk SAML to Azure (Cloud). Don't think we're the only one asking for it now but neither I'm sure R&D would help. Prove me wrong guys 😛 

Jerry
0 Kudos
JanVC
Collaborator
‎2021-02-11 07:57 AM
In response to Jerry

I've seen the exact same usecase demo'd by Peter Elmer in a youtube video

caveat, R80.40 with a custom hotfix

0 Kudos
Jerry
Leader
Leader
‎2021-02-11 08:00 AM
In response to JanVC

URL? 🙂 

Jerry
0 Kudos
JanVC
Collaborator
‎2021-02-11 08:01 AM
In response to Jerry

private playlist, so not sure if I'm allowed to share it

 

maybe @PhoneBoy  can clarify that

0 Kudos
Jerry
Leader
Leader
‎2021-02-11 08:12 AM
In response to JanVC

oh if that's the case indeed Dameon would be knowledgeable definitely 🙂 

Jerry
0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-11 08:49 AM

TL;DR: coming soon.

We are adding the ability to authenticate on the VPN client via SAML in the near future.
It will first launch in the R80.40 JHF followed later by the R81 JHF.
If you need this NOW, we have a customer release for R80.40 that can be obtained from the local Check Point office.
It requires a specific JHF level and client currently.
There was a demo of this at our Sales Kick Off.
Not sure if we will demo it at the upcoming CPX.

Jerry
Leader
Leader
‎2021-02-11 09:38 AM
In response to PhoneBoy

awesome! can I count on you to follow up and are there any chances we could chat about it? please ping me on WA when you have a moment.

Cheers!

Jerry
PhoneBoy
Admin
Admin
‎2021-02-11 11:11 AM
In response to Jerry

Reach out anytime, my friend 🙂

0 Kudos
Leandro_RD
Explorer
‎2021-06-23 05:26 AM

Hi, this sk SK172909 would help.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

"SAML authentication in Remote Access VPN clients"

 

0 Kudos
biskit
Advisor
‎2022-05-02 04:00 AM
In response to Leandro_RD

In my experience SK172909 is most of the picture, but not all.  Hopefully that SK will get updated, but just in case, check this link for the critical missing bits to get this working - Solved: Re: Access Role not working? - Check Point CheckMates

 

0 Kudos