Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
seanmc12
Contributor

Checkpoint R81.10 VPN MFA with OKTA radius

I am trying to setup MFA on my Checkpoint VPN via OKTA radius agent. I'm utilizing the steps provided by Checkpoint which point to OKTA. We went through every step with the exception of the last couple that involve Mobile section at the tail end as we are not utilizing that. We are running R81.10 and some of the items are in different places from the documentation we were provided by Checkpoint. Everything is configured and then on the Client itself, we changed from Username/Password auth to STANDARD. After doing that, we are able to hit the connect button on the client, it prompts you to enter in your username, but the password field is greyed out. You press continue and then it pops up a box that says Response, but I'm not receiving any pushes from OKTA verify, Cell texts or anything for which to enter in a response in the Checkpoint client. Spent 3 hours on the phone with OKTA and Checkpoint support together this morning and ended up just submitting VPN Debug logs and no Checkpoint VPN w/MFA. Anyone else get this to working? Mind sharing your process?

Any help is greatly appreciated.

https://help.okta.com/en-us/content/topics/integrations/check-point-radius-intg.htm

0 Kudos
7 Replies
the_rock
Legend
Legend

Personally, I think running vpn debugs here is not useful, just my opinion, as you are not having issue with site to site vpn tunnel traffic. 

Having read all you indicated, I am fairly confident its something missing in the config. Are you able to share some screenshots of how you configured this? My colleague and I got this working in the lab before and we actually followed document I attached, along with the script on the mgmt server,

Regards,

Andy

0 Kudos
seanmc12
Contributor

Attached a screen shots of our config and the Checkpoint provided link to the process. https://help.okta.com/oie/en-us/content/topics/integrations/check-point-radius-intg-conf-gateway.htm On the Client side, we changed the Authentication from Username/PW to Standard. There are some steps regarding enabling Mobile Access at the bottom of the instructions. "Configure browser access to the Check Point Mobile Access SSL VPN portal"

Does that need to be done?

 

0 Kudos
the_rock
Legend
Legend

This is what Im interested in. Are you able to send that please? And blur out any sensitive info.

Andy

 

Screenshot_1.png

0 Kudos
seanmc12
Contributor

 

Here you go

 

 

0 Kudos
the_rock
Legend
Legend

I think the way it was done is the issue, in my opinion. Whenever I did this with the customers, I would add auth methods as SEPARATE entities (if you will), meaning say if radius is preferred auth method, then you set it as first in the list, or even set it as global auth method and then have it as only method in the list. Do you require anyone to log in as user/pass? If you do, then simply enable it on the user settings locally in the dashboard and have user/pass method as separate auth method in the list (radius first, user/pass second).

Makes sense?

Andy

0 Kudos
Alex-
Leader Leader
Leader

I agree. I deployed Okta w/ RADIUS with a dedicated authentication realm and it worked.

It's been a while but ensure you use samaccountname + domain name as login factor and check that Okta performs primary authentication and your users and groups are provisioned within the Okta directory.

the_rock
Legend
Legend

Exactly. I had done it that way 3 times and worked fine.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events