Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
TimV
Participant

Check Point Mobile for Windows - Machine certificate before logon, IdP Azure after logon

Hi all,

Here is what I want to get done : 

  • Machine authentication before logon, (Pre logon)
  • After logon keep this connection alive (Post Logon)
  • Switch to User authentication with IdP Azure MFA.
    And let's hope I can explain Azure to do MFA while "On-Prem"  - other outgoing IP to 0365 for RemoteAccess?

So far I have made

  1. Machine Authentication work via Certificate (ADCS) Pre- and Post-Logon.
  2. Get User authentication work with MFA (with Pre-Machine Certficate Auth)

Now, the issue starts : 

  • Either have Pre and Post Machine certificate (but not have MFA)
    Issue is 'post-it' password on the PC = At theft they are on our network!
  • Either have Pre Machine and Post MFA, but with a gap between the post-logon moment and validating MFA.
    Issue, as it's a gap in what we try to achieve, be always behind out protect solution. 
    No logon or proper AD auth at logon.

Or am I missing somewhere, a parameter or a trick to make the switch work as described.

It has been a long journey to get to this point, the last mile is seaming to be the biggest hurdle.

Ps, I'm interrested in your POV, but stick to the topic please.

Kind regards
Tim

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Want to make sure I understand what you’re trying to achieve here:

  • You want a Remote Access VPN to be connected via Machine Certificate prior to Windows logon
  • After Windows login, you want to reconfirm  with MFA from Azure AD to keep the VPN connection alive (presumably dropping said connection if the user fails MFA)

Am I understanding this correctly?
Not sure this is actually possible.

0 Kudos
TimV
Participant

Hi,

Pre-logon part : absolutely correct.

Post-logon = Machine Certificate that switches over to User MFA.

The key piece is to keep a connection alive between post-logon and confirmation by User MFA. 
This gap causes logon process to not complete succesfully, and only comes back after the User MFA has completed.

0 Kudos
PhoneBoy
Admin
Admin

SAML Authentication can (currently) only be triggered after the user is logged in.
This is likely why Secure Domain Login and SAML authentication aren't supported together, which would be the ideal way to solve this issue.
I'm guessing when the request for SAML authentication is triggered, the existing VPN connection is killed.

Given the above, I'm kinda surprised it works the way you describe it.
Getting it to work in the desired manner is probably an RFE you should raise with the local Check Point office.

0 Kudos