Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rodrigo_Silva
Contributor
Jump to solution

Checkpoint VPN with Microsoft 2-Factor Authentication

Hello everyone

I would like to share with you how I managed to get VPN users to use Microsoft Azure Multi-Factor Authentication.

I saw in some posts that this was possible by using MFA Server, but Microsoft stopped offering MFA Server on July 1, 2019.


What I needed to do:

1 - Office 365 users with MFA enabled.

2 - Dedicated NPS Server.
All Radius requests made to this server will have MFA directed to Microsoft.

3 - NPS extension for Azure MFA
This extension will direct your MFA requests to Microsoft.
You can find the installation and download instructions at the link below.

https://docs.microsoft.com/pt-br/azure/active-directory/authentication/howto-mfa-nps-extension#sync-...

The user can define which method will be used in the Microsoft portal.

I tested the methods below on VPN Clients, Mobile Access and Capsule Workspace and they all worked perfectly.

- Notification through mobile app
- Verification code from mobile app
- Text message to phone

I hope this post helps you

Good luck

(2)
66 Replies
Baden_OHare
Explorer

Hi all, I'm looking at integrating microsofts MFA offering with check point VPN.  One of their first questions is regarding single sign on with O365, is it possible for the client to understand that a user has already signed in with O365 and allow connection?  Or will it require a challenge every time?

0 Kudos
PhoneBoy
Admin
Admin

Currently, no, but we are going to release the ability to authenticate with SAML on the VPN client itself.
I presume this could be used in an SSO configuration.
Currently this is only available as a customer release on R80.40 and requires running a specific JHF level.
Please engage with your local Check Point office to get this.

This is expected to appear in a future JHF for R80.40 and R81.

Garrett_DirSec
Advisor

Hello @PhoneBoy .      

Has the use of AzureAD for remote access VPN MFA been made "official" by CP support via SK article?

It's great that 3rd party was able to prove it can be done, but if CP product mgmt not using this in product functionality requirements and QA process, I forsee the scenario where upcoming Jumbo may break this.  

Of course, this will happen in middle of night during maintenance window on Saturday night and make our lives awful.

I would like to know that CP product mgmt actively insuring this functionality (and integration) is on radar and part of QA process for Jumbo releases, etc.

note:  Yes, I understand SAML auth has been added to latest release of R81.10 remote access VPN client.     is it possible the product mgmt going with this strategy as "official" supported MFA strategy going forward? 

I would just like something in black and white to reference for customer buyoff. 

0 Kudos
PhoneBoy
Admin
Admin

It's official per the following SK:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
And yes this will be integrated into R81.20.

0 Kudos
Garrett_DirSec
Advisor

Hello @PhoneBoy   yes, I am aware of sk172909 (SAML auth for remote access VPN).   However, I also asked if CP was going to make it "official" to support AzureAD and associated MFA as strong auth for remote access VPN (via RADIUS) -- this not using SAML. 

maybe that's the line of demarcation on whether AzureAD is supported -- ie.   does is support RADIUS or not -- everything else is irrelevant? 

0 Kudos
PhoneBoy
Admin
Admin

From our point of view, yes, we'll support just about anything that talks RADIUS.

0 Kudos
LucianLS
Participant

EDIT: fixed my problem by setting a new Shared Secret, only letters and numbers.

 

I've done this successfully in my R80.40 lab environment but it my prod environment with R80.30(latest JHF) it fails right at the end.

With PAP it was worse but with MS-CHAPv2 I get this far:

- in the VPN client I enter the user and password

- on my mobile app I get the push notification and I accept it

- NPS and Azure MFA logs on my NPS(RADIUS) server say authentication was successful.

- TCPdump on the gateway says it received the response from the RADIUS server:

18:44:34.494608 IP 192.168.XX.XX.datametrics > CKP-GW.49100: RADIUS, Access Accept (2), id: 0xde length: 273

So the gateway does seem to get a response and yet:

-the client says: Negotiation with the site failed

-the CKP logs says:

---Action: Failed log in

---Failed login factor: RADIUS

---Reason: RADIUS servers not responding

-I also get a 2nd and maybe 3rd push notification on my mobile which shouldn't happen

 

I've done all the settings (including GLobal options and Guidb options) in the tutorial by JesusOrtiz:https://community.checkpoint.com/t5/Remote-Access-VPN/Check-Point-EndPoint-Security-VPN-with-Azure-A...

Also the ones in sk112933.

I've also cloned the RADIUS service template to use it with aggressive aging disabled and virtual session timeout set to 120 seconds

 

 

0 Kudos