We currently use the Dynamic ID.
I created a new profile for testing Microsoft MFA.
When the user will connect he can choose which one to use.
After the tests we will keep only one.

Hello Rodrigo

As concerns Management server configuration for 2FA, can you please share it with us?

BR,

Kostas

You need to direct authentication to the Radius server.

You will need a Radius server with NPS extension for Azure MFA installed.

Remember that all requests to this Radius server will have MFA requests.

This setting is the same for Mobile Access.

Rodrigo:

I have a doubt. What kind of messages does the NPS send to the Firewall CheckPoint (VPN Server)? Is a Access-Challenge? 

Regards, 

Fabian

You may need to extend the RADIUS timeouts to allow for slower RADIUS responses because the end user needs extra time to satisfy the MFA response.  SK112933 covers the configuration changes needed on the Management server, including the trac_client_1.ttm file used by the Endpoint suite clients.

Note that if you need to change the trac_client_1 file, you can set it in fwrl.conf  to push it from management onto the gateways each time a policy is installed.  Let me know if you need the specifics and I'll drop it into this post.

@Jason_Dance  I have MFA working successfully with Microsoft Authenticator but not with SMS

Users trying SMS are challenged for the code but when they enter the code they receive via text message the authentication fails.

I think it may be the timeout issue.

I have looked at sk75221 and the trac_client_1.ttm file but I am not sure I understand what is required.

Are you able to post a copy of your working configuration?

I can see where to make the change on trac.defaults on the client but I am hoping to do this in one location and have it auto update all the clients when they next connect.

Thanks

Pedro

@Pedro_Silva its been a while since I did it, but I remember having to roll out the trac_client_1.ttm file to the machines through our software deployment solution because it didn't come down from the gateway properly.

@Jason_Dance  are you able to share the file contents? I found the documentation a little unclear as to the correct format.

Thanks

Pedro

Hi Pedro,

did you solve SMS problem? i have same issue like you, everything works except SMS

thanks

Sorry, we have moved to another vendor and I can't find any notes about the solution we used. I do think it was a timeout issue.

Suggest contacting checkpoint support.

Thanks! Np! i have found solution ...

Make sure that the password encryption protocol between the NPS and NAS servers supports the secondary authentication method that you're using. PAP supports all the authentication methods of Azure AD MFA in the cloud: phone call, one-way text message, mobile app notification, and mobile app verification code. CHAPV2 and EAP support phone call and mobile app notification.

I wanted to get back to this question as I have got this working in the lab and have validated the results.

With Secondary Connect (transparently connect users to distributed resources) users get an MS Authenticator 'Approve' request every time the remote access client connects to another gateway. 

So for sites that have Remote Access users relying on Secondary Connect to access resources distributed across the globe using the NPS Extension for Azure MFA is not the best user experience.

To my knowledge there is not a way to change the behavior of the NPS Extension so it will NOT send another request to Azure MFA if a previous authenticated session is already established.

Has anyone had a different experience with the setup of Secondary Connect and the NPS extension for Azure MFA?

Cheers!

--AJ

Did you ever end up finding a solution for secondary connect? We make heavy use of it as well

Make sure you don't have any punctuation or special characters in your Radius Shared Secret.

A single ' caused my configuration to break. The NPS server was authenticating the user but then failing to pass the information back to the gateway.

My working configuration is:

RADIUS server object in Checkpoint Smart Console - configured for Radius Version 2.0 and MS_CHAP2

NPS server with Network Policy to Grant Access to AD User groups using matching Authentication Method.

On NPS Server you can see the authentication events in Event Viewer under Custom Views\Server Roles\Network Policy and Access Services

Very helpful, thanks for sharing!

(Refer also sk114263)

Configuring an External User Profile (generic*) with Radius authentication on SmartDashboard is  still needed for this, right??

Can you post steps for configuring for SMS to phone or Verification code?  I've been struggling to get this to work at all!

For anyone running across this thread when setting this up.

You may also need to make sure your RADIUS udp service doesn't have aggressive aging and set a custom virtual session timeout matching the timeout you want. In my case aggressive aging was timing out the UDP virtual session after 15 seconds then the UDP replies were getting blocked by firewall stealth rule and "radius servers not responding" was getting logged.