Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jerry
Mentor
Mentor

Azure MFA with SMS R81 - would that work & get R&D recommendation?

hi guys, quite challenging one.

 

1. got CP customer who has 2 scenarios and paths he'd like to go through but eventually is in favour of one - no NPS

2. they want to give CP EPS VPN Clients MFA from Azure but either bypassing NPS (Radius and AD Azure Connector) or simply giving them OTP/AUTH via MFA (Azure MS Authenticator SoftToken App) directly from the MS Cloud. Would that even work as if SMS has SAML capabilities?

3. SAML 2.0 with API/SMS R81 - doable or not yet an option? and if not then AZURE-NPS-AzureConnector-SMS is the only path as described already by many here?

 

Thanks for the contribution in advance. Client is quite big and their DC has potentially 15.000 EPS users by the end of this year so the scope is huge hence the use of EPS with MFA seems a key query from them knowing that NPS might be either overhead or unnecessary "man in the middle" scenario. Not necessary but at this moment of time essential and recommended am I wrong?

 

Cheers 

Jerry
14 Replies
JackPrendergast
Advisor
Advisor

Hi Jerry,

 

Maybe not the complete answer you are looking for but to give you an example of a situation I have.

 

I have done an RA deployment with a customer with around 1000+ endpoints.

 

They connect and login via their AD credentials, which then prompts the Microsoft Authenticator app to pop up and approve, providing the 2 factor.

 

This 2nd factor to provide the authenticator app notification is using the Azure RADIUS server.

This works perfectly and probably one of the best RA authentications I have seen in terms of simplicity.

0 Kudos
Jerry
Mentor
Mentor

excellent so that is the solution No.1 I've mentioned (Azure-NPS-AD-SMS-VPNfw-Endpoint). I totally get it but my customer is keen to bypass NPS hence my concerns.

They'd do anything to avoid RADIUS in between and my wonder was whether SMS will finally talk "SAML/SSO" with Azure AD at some point. The legacy way you've explained is known and indeed one of those "working one" in the industry but that I knew before asking so I'm not surprised it works in your case too. It does work in many environments but I'm after more "simplistic" way of the scenario where SMS talks DIRECTLY to the Azure SAML (MFA resource) not to the local RADIUS which then over the Azure Connector talks to Azure.

 

Cheers

Jerry
JackPrendergast
Advisor
Advisor

Hi Jerry.

 

I understand your situation now.

 

Makes sense and your feature request sounds interesting! I wonder if CP will support this

0 Kudos
G_W_Albrecht
Legend
Legend

I would suggest to speak to your local CP SE - the potential sales value should help to get that cleared out quickly 😎

CCSE CCTE CCSM SMB Specialist
0 Kudos
Jerry
Mentor
Mentor

that would be difficult 🙂 but there is one guys from CP PS who is actively contributing to that Customer's infrastructure and design so I'll talk to him when I have a chance.

Money is not always so called "show stopper" the problem is that SMS does not talk SAML to Azure (Cloud). Don't think we're the only one asking for it now but neither I'm sure R&D would help. Prove me wrong guys 😛 

Jerry
0 Kudos
JanVC
Collaborator

I've seen the exact same usecase demo'd by Peter Elmer in a youtube video

caveat, R80.40 with a custom hotfix

0 Kudos
Jerry
Mentor
Mentor

URL? 🙂 

Jerry
0 Kudos
JanVC
Collaborator

private playlist, so not sure if I'm allowed to share it

 

maybe @PhoneBoy  can clarify that

0 Kudos
Jerry
Mentor
Mentor

oh if that's the case indeed Dameon would be knowledgeable definitely 🙂 

Jerry
0 Kudos
PhoneBoy
Admin
Admin

TL;DR: coming soon.

We are adding the ability to authenticate on the VPN client via SAML in the near future.
It will first launch in the R80.40 JHF followed later by the R81 JHF.
If you need this NOW, we have a customer release for R80.40 that can be obtained from the local Check Point office.
It requires a specific JHF level and client currently.
There was a demo of this at our Sales Kick Off.
Not sure if we will demo it at the upcoming CPX.

Jerry
Mentor
Mentor

awesome! can I count on you to follow up and are there any chances we could chat about it? please ping me on WA when you have a moment.

Cheers!

Jerry
PhoneBoy
Admin
Admin

Reach out anytime, my friend 🙂

0 Kudos
Leandro_RD
Explorer

Hi, this sk SK172909 would help.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

"SAML authentication in Remote Access VPN clients"

 

0 Kudos
biskit
Advisor

In my experience SK172909 is most of the picture, but not all.  Hopefully that SK will get updated, but just in case, check this link for the critical missing bits to get this working - Solved: Re: Access Role not working? - Check Point CheckMates

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events