- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Re: Checkpoint VPN with Microsoft 2-Factor Authent...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Checkpoint VPN with Microsoft 2-Factor Authentication
Hello everyone
I would like to share with you how I managed to get VPN users to use Microsoft Azure Multi-Factor Authentication.
I saw in some posts that this was possible by using MFA Server, but Microsoft stopped offering MFA Server on July 1, 2019.
What I needed to do:
1 - Office 365 users with MFA enabled.
2 - Dedicated NPS Server.
All Radius requests made to this server will have MFA directed to Microsoft.
3 - NPS extension for Azure MFA
This extension will direct your MFA requests to Microsoft.
You can find the installation and download instructions at the link below.
The user can define which method will be used in the Microsoft portal.
I tested the methods below on VPN Clients, Mobile Access and Capsule Workspace and they all worked perfectly.
- Notification through mobile app
- Verification code from mobile app
- Text message to phone
I hope this post helps you
Good luck
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all, I'm looking at integrating microsofts MFA offering with check point VPN. One of their first questions is regarding single sign on with O365, is it possible for the client to understand that a user has already signed in with O365 and allow connection? Or will it require a challenge every time?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently, no, but we are going to release the ability to authenticate with SAML on the VPN client itself.
I presume this could be used in an SSO configuration.
Currently this is only available as a customer release on R80.40 and requires running a specific JHF level.
Please engage with your local Check Point office to get this.
This is expected to appear in a future JHF for R80.40 and R81.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @PhoneBoy .
Has the use of AzureAD for remote access VPN MFA been made "official" by CP support via SK article?
It's great that 3rd party was able to prove it can be done, but if CP product mgmt not using this in product functionality requirements and QA process, I forsee the scenario where upcoming Jumbo may break this.
Of course, this will happen in middle of night during maintenance window on Saturday night and make our lives awful.
I would like to know that CP product mgmt actively insuring this functionality (and integration) is on radar and part of QA process for Jumbo releases, etc.
note: Yes, I understand SAML auth has been added to latest release of R81.10 remote access VPN client. is it possible the product mgmt going with this strategy as "official" supported MFA strategy going forward?
I would just like something in black and white to reference for customer buyoff.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's official per the following SK:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
And yes this will be integrated into R81.20.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @PhoneBoy yes, I am aware of sk172909 (SAML auth for remote access VPN). However, I also asked if CP was going to make it "official" to support AzureAD and associated MFA as strong auth for remote access VPN (via RADIUS) -- this not using SAML.
maybe that's the line of demarcation on whether AzureAD is supported -- ie. does is support RADIUS or not -- everything else is irrelevant?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From our point of view, yes, we'll support just about anything that talks RADIUS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
EDIT: fixed my problem by setting a new Shared Secret, only letters and numbers.
I've done this successfully in my R80.40 lab environment but it my prod environment with R80.30(latest JHF) it fails right at the end.
With PAP it was worse but with MS-CHAPv2 I get this far:
- in the VPN client I enter the user and password
- on my mobile app I get the push notification and I accept it
- NPS and Azure MFA logs on my NPS(RADIUS) server say authentication was successful.
- TCPdump on the gateway says it received the response from the RADIUS server:
18:44:34.494608 IP 192.168.XX.XX.datametrics > CKP-GW.49100: RADIUS, Access Accept (2), id: 0xde length: 273
So the gateway does seem to get a response and yet:
-the client says: Negotiation with the site failed
-the CKP logs says:
---Action: Failed log in
---Failed login factor: RADIUS
---Reason: RADIUS servers not responding
-I also get a 2nd and maybe 3rd push notification on my mobile which shouldn't happen
I've done all the settings (including GLobal options and Guidb options) in the tutorial by JesusOrtiz:https://community.checkpoint.com/t5/Remote-Access-VPN/Check-Point-EndPoint-Security-VPN-with-Azure-A...
Also the ones in sk112933.
I've also cloned the RADIUS service template to use it with aggressive aging disabled and virtual session timeout set to 120 seconds

- « Previous
- Next »