Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Checkpoint VPN with Microsoft 2-Factor Authentication

Hello everyone

I would like to share with you how I managed to get VPN users to use Microsoft Azure Multi-Factor Authentication.

I saw in some posts that this was possible by using MFA Server, but Microsoft stopped offering MFA Server on July 1, 2019.


What I needed to do:

1 - Office 365 users with MFA enabled.

2 - Dedicated NPS Server.
All Radius requests made to this server will have MFA directed to Microsoft.

3 - NPS extension for Azure MFA
This extension will direct your MFA requests to Microsoft.
You can find the installation and download instructions at the link below.

https://docs.microsoft.com/pt-br/azure/active-directory/authentication/howto-mfa-nps-extension#sync-...

The user can define which method will be used in the Microsoft portal.

I tested the methods below on VPN Clients, Mobile Access and Capsule Workspace and they all worked perfectly.

- Notification through mobile app
- Verification code from mobile app
- Text message to phone

I hope this post helps you

Good luck

43 Replies
Highlighted
Iron

Excellent!!!! Thank you for share.

0 Kudos
Highlighted
Nickel

Thanks for sharing.

Was any testing completed with 'Secondary Connect' in this configuration?

Just curious how it worked if tested.

0 Kudos
Highlighted

We currently use the Dynamic ID.
I created a new profile for testing Microsoft MFA.
When the user will connect he can choose which one to use.
After the tests we will keep only one.

Highlighted

Hello Rodrigo


As concerns Management server configuration for 2FA, can you please share it with us?

 

BR,

Kostas

Highlighted

 

You need to direct authentication to the Radius server.

 

1.png

 

2.png

 

You will need a Radius server with NPS extension for Azure MFA installed.

Remember that all requests to this Radius server will have MFA requests.

 

3.png

This setting is the same for Mobile Access.

Highlighted
Copper

You may need to extend the RADIUS timeouts to allow for slower RADIUS responses because the end user needs extra time to satisfy the MFA response.  SK112933 covers the configuration changes needed on the Management server, including the trac_client_1.ttm file used by the Endpoint suite clients.

Note that if you need to change the trac_client_1 file, you can set it in fwrl.conf  to push it from management onto the gateways each time a policy is installed.  Let me know if you need the specifics and I'll drop it into this post.

 

 

Highlighted
Nickel

@Jason_Dance  I have MFA working successfully with Microsoft Authenticator but not with SMS

Users trying SMS are challenged for the code but when they enter the code they receive via text message the authentication fails.

I think it may be the timeout issue.

I have looked at sk75221 and the trac_client_1.ttm file but I am not sure I understand what is required.

Are you able to post a copy of your working configuration?

I can see where to make the change on trac.defaults on the client but I am hoping to do this in one location and have it auto update all the clients when they next connect.

Thanks

Pedro

0 Kudos
Highlighted
Copper

@Pedro_Silva its been a while since I did it, but I remember having to roll out the trac_client_1.ttm file to the machines through our software deployment solution because it didn't come down from the gateway properly.

0 Kudos
Highlighted
Nickel

@Jason_Dance  are you able to share the file contents? I found the documentation a little unclear as to the correct format.

Thanks

Pedro

0 Kudos
Highlighted
Nickel

I wanted to get back to this question as I have got this working in the lab and have validated the results.

With Secondary Connect (transparently connect users to distributed resources) users get an MS Authenticator 'Approve' request every time the remote access client connects to another gateway. 

So for sites that have Remote Access users relying on Secondary Connect to access resources distributed across the globe using the NPS Extension for Azure MFA is not the best user experience.

To my knowledge there is not a way to change the behavior of the NPS Extension so it will NOT send another request to Azure MFA if a previous authenticated session is already established.

Has anyone had a different experience with the setup of Secondary Connect and the NPS extension for Azure MFA?

Cheers!

--AJ

0 Kudos
Highlighted
Admin
Admin

Thanks for sharing this.
Moving it to the Remote Access space.
Highlighted
Ivory

Great info Rodrigo, did you have to do any specific configuration on the NPS server outside of getting the extension?

I've gotten a new AU configured with using Radius and cannot get a prompt for an MFA code.

0 Kudos
Highlighted
Nickel

Make sure you don't have any punctuation or special characters in your Radius Shared Secret.

A single ' caused my configuration to break. The NPS server was authenticating the user but then failing to pass the information back to the gateway.

My working configuration is:

RADIUS server object in Checkpoint Smart Console - configured for Radius Version 2.0 and MS_CHAP2

NPS server with Network Policy to Grant Access to AD User groups using matching Authentication Method.

On NPS Server you can see the authentication events in Event Viewer under Custom Views\Server Roles\Network Policy and Access Services

 

Highlighted

Everything I needed to configure the NPS server I found on the link https://docs.microsoft.com/pt-br/azure/active-directory/authentication/howto-mfa-nps-extension#sync-...
0 Kudos
Highlighted
Employee++
Employee++

 

 

Very helpful, thanks for sharing!

 

(Refer also sk114263)

0 Kudos
Highlighted

Configuring an External User Profile (generic*) with Radius authentication on SmartDashboard is  still needed for this, right??

 

0 Kudos
Highlighted

It depends on your policy. My configuration allows VPN connection by AD group. Regardless of whether it is per AD user, or per local user, authentication needs to be sent to the radius server.
0 Kudos
Highlighted
Ivory

Thanks for the documentation, could you say what you did on CheckPoint's side to make this work. We have been struggling the last few weeks to make this work, and haven't made any headway. I've configured the RADIUS server with the NPS extension, and we've setup RADIUS authentication on the gateway, but we keep getting a username/password error. Is there another way to set this up that will allow it to work? Would you mind sharing what your working setup looks like? We've been banging our head against the wall the last few weeks, and as you can tell it's starting to show. Appreciate any help that you can give.

0 Kudos
Highlighted

I'm sorry for the late reply.
At CheckPoint I just needed to set up a new radius server and direct authentications to it.
You can even put MFA on who will connect to SmartConsole,
0 Kudos
Highlighted

We cant get mobile app notification method to work!

Verification code and SMS to phone work fine!

Any ideas?

0 Kudos
Highlighted
Ivory

Can you post steps for configuring for SMS to phone or Verification code?  I've been struggling to get this to work at all!

0 Kudos
Highlighted

1 - Your company must have at least one free Azure AD account, and your on-premises AD users must be in sync with the cloud.
2 - In the user's guide, on the office 365 portal, there is the option to manage the double factor of authentication. There you enable the double factor for each user.
3 - The user needs to access the portal.office.com website and complete the configuration.
I don't know if that was your question.
Hope this helps.
0 Kudos
Highlighted

Check if you are having problems with HTTPS Inspection.
In our case it only worked on the 3G network. Then I found out that it was URL inspection.
Now everything works great.
0 Kudos
Highlighted

For anyone running across this thread when setting this up.

You may also need to make sure your RADIUS udp service doesn't have aggressive aging and set a custom virtual session timeout matching the timeout you want. In my case aggressive aging was timing out the UDP virtual session after 15 seconds then the UDP replies were getting blocked by firewall stealth rule and "radius servers not responding" was getting logged.

0 Kudos
Highlighted
Copper

Thanks very much for taking the time to write this.  Just finished a deployment for 1000 users,

Ruan

P.S.  Just had one item that tripped me up for a while.  A different team was handling the NPS, and we saw from the gateway that our Radius requests were not honored.  Turns out that in a VSX environment the Radius request is sent by the root device (not sure what the correct terms is, VS0?) and not the virtual system.  I don't have a lot of experience with VSX so maybe this is common knowledge - it wasn't for me.

Highlighted
Iron

Hi, 

We have set Radius and VPN to request MFA (Azure):

  1. we receive MFA request when authenticating on the VPN
  2. then Radius network policy allow connection with the event 6272 (Network Policy Server granted access to a user.)
  3. 2 seconds later, the same network policy refuse the connection with the event 6274 Reason code 9 (Network Policy Server discarded the request for a user.)
 

 

Does anyone else have the same problem? any idea to fix this?

 

best regards

0 Kudos
Highlighted
Employee
Employee

Hi Ruan!

If you haven't already found out how to have the authentication request sent via the Virtual System instead of the VS0, there is a setting on the VS that you want to have send the authentication request, in the settings "tree" to the left when you open the VS configuration, under "Other" and then "Legacy Authentication".

Under the checkboxes for which Authentication methods to allow on the VS, there is a section called "Authentication Servers Accessibility (including LDAP)", where you change the Radio Button to "Private (servers are accessible from this virtual system)".

I have attached a screenshot of the setting below.

Good luck!

 

Kind regards,

/Jonas

Virtual System Authentication SettingsVirtual System Authentication Settings

0 Kudos
Highlighted
Copper

Hi Jonas, thanks very much for that!
0 Kudos
Highlighted
Employee
Employee

You're most welcome, happy to help!

 

/Jonas

0 Kudos