Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Contributor

Checkpoint VPN with Microsoft 2-Factor Authentication

Hello everyone

I would like to share with you how I managed to get VPN users to use Microsoft Azure Multi-Factor Authentication.

I saw in some posts that this was possible by using MFA Server, but Microsoft stopped offering MFA Server on July 1, 2019.


What I needed to do:

1 - Office 365 users with MFA enabled.

2 - Dedicated NPS Server.
All Radius requests made to this server will have MFA directed to Microsoft.

3 - NPS extension for Azure MFA
This extension will direct your MFA requests to Microsoft.
You can find the installation and download instructions at the link below.

https://docs.microsoft.com/pt-br/azure/active-directory/authentication/howto-mfa-nps-extension#sync-...

The user can define which method will be used in the Microsoft portal.

I tested the methods below on VPN Clients, Mobile Access and Capsule Workspace and they all worked perfectly.

- Notification through mobile app
- Verification code from mobile app
- Text message to phone

I hope this post helps you

Good luck

48 Replies
Employee
Employee

You're most welcome, happy to help!

 

/Jonas

0 Kudos
Reply
Explorer

Hello Jonas,
Thanks for your insight. I have a similar problem. On the Checkpoint,the area for Authentication Servers Accessibility (including LDAP) doesn't show.

All other sections including 'Enabled Authentication Schemes' , 'Authentication Settings' 'Policy Server's are available.

Is there a way to make this happen (Ensure authentication servers are accessible from this virtual system) via CLI.
Please share if you know the command
0 Kudos
Reply
Explorer

Hi, I have a problem, i configured everything i think correctly (using guide i found and the posts here) when i lgoin to the vpn I enter my test user and password get the mfa asking to confirm and i get that authentication failed and i get a log in smart console that User does not belong to the Remote Access cxommunity. Any ideas what could be wrong?

0 Kudos
Reply
Admin
Admin

Make sure your AD/Radius group belongs to the community, as the message said

0 Kudos
Reply
Explorer

Hi, it does but the error persists

0 Kudos
Reply
Admin
Admin

It is some error in the config. Wrong LDAP branch, or the user in not on LDAP. Check all the steps

0 Kudos
Reply
Explorer

Could You please tell me more how to chec if the LDAP branch is wrong ?
0 Kudos
Reply
Employee
Employee

There is a very good tool for troubleshooting LDAP issued called ldapsearch that you can use either on the gateway or the management to check if the module can do LDAP queries, and if the account and DN's you use are allowed to query the LDAP server.

You can search Secure Knowledge for "ldapsearch" and you will get multiple answers detailing different troubleshooting scenarios involving LDAP.

(For example sk100163, Endpoint Security Client fails to connect to VPN Site with "Negotiation with site failed" error
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)

Personally I also like to use the Windows tool, "Softerra LDAP Administrator" (Read/Write, costs money) or "Softerra LDAP Browser" (same tool, but Read Only and free for all usage) to troubleshoot LDAP issues as it gives you very good details about your LDAP catalog, and all the objects and attributes involved.

I also like to find the objects and DN's in "LDAP Browser" and do copy-past into my configuration, making sure that I haven't misspelled anything in the FQDN's etc.

 

Good luck!

 

Best regards,

Jonas

0 Kudos
Reply
Explorer

Hi, I tried the ldapsearch tool and it queries the server and gives good information from both the managment server and gateway, I fiddled witht he branch settings and the effect is I get an usser not know error so i reverted that but im back to squeare one, is there i way I can check the RAD_ group if it works fine? (its empty as the manual said)
0 Kudos
Reply
Contributor

Hi
You can check the logs in the event viewer of the radius server.

nps_log.png

If there is more than one network rule try to leave that rule at the top.

0 Kudos
Reply
Contributor

Have you run a tcpdump on the gateway or Wireshark capture on the RADIUS server to look at the attributes being passed back? If the server is not passing back the correct attribute the gateway cannot associate the user with a group (RAD_xyz) and therefore will say that the user is not part of the community. So you might be getting a RADIUS access accept from the RADIUS server but a group matching failure due to the wrong attribute.

0 Kudos
Reply
Participant

Hi anybody has this error?

Image 4804.png

 
 
 

 

0 Kudos
Reply
Contributor

Yes, have seen the same message, something I need to investigate further but possibly just the user not responding to the Azure MFA prompt in time so the NPS Azure MFA extension times it out and reports so back to the event log.

I've raised a SR for our issues trying to get the RADIUS attributes to match the RAD_<attribute> group. tcpdump shows the correct type (26) being sent with the correct vendor code and values but the gateways appears to be failing to associate it with the group and therefore with the RA community. Initial response from TAC was that the configuration looked right.

Will schedule another test window to repeat the implementation and run a VPN debug.

0 Kudos
Reply
Participant

i also opened a support, Microsoft found radius was correctly set, this error message according to Microsoft is generic and due a Checkpoint misconfiguration.

@Anonymous can't you share a full procedure to connect Checkpoint VPN and Azure MFA, it is obviously causing problems

and the other VPN got their own procedure 🙂

 

Contributor

I advise you to review your settings on the radius server.
Your type of authentication is like MS-CHAPv2, and see how my log looks. Authentication type: Extension.

VPN-MFA.png

0 Kudos
Reply
Participant

Hi we finally found the problem, it was due to the secret shared key, Checkpoint doesn't accept special characters.

thanks all for the help

Contributor

how do i switch the MFA from one time passcode to mobile app method?

0 Kudos
Reply
Contributor

This is set on the individual users Microsoft account. It is a user preference.

0 Kudos
Reply
Contributor

i have been able to get this working great with MFA but if a user is to "change logon option" on checkpoint vpn client they can bypass the MFA and simply connect with username /password credentials. Where would i find the setting to block this?

0 Kudos
Reply