Hi, 

We have set Radius and VPN to request MFA (Azure):

1. we receive MFA request when authenticating on the VPN
2. then Radius network policy allow connection with the event 6272 (Network Policy Server granted access to a user.)
3. 2 seconds later, the same network policy refuse the connection with the event 6274 Reason code 9 (Network Policy Server discarded the request for a user.)

Does anyone else have the same problem? any idea to fix this?

best regards

Hi Ruan!

If you haven't already found out how to have the authentication request sent via the Virtual System instead of the VS0, there is a setting on the VS that you want to have send the authentication request, in the settings "tree" to the left when you open the VS configuration, under "Other" and then "Legacy Authentication".

Under the checkboxes for which Authentication methods to allow on the VS, there is a section called "Authentication Servers Accessibility (including LDAP)", where you change the Radio Button to "Private (servers are accessible from this virtual system)".

I have attached a screenshot of the setting below.

Good luck!

Kind regards,

/Jonas

Virtual System Authentication Settings

You're most welcome, happy to help!

/Jonas

Make sure your AD/Radius group belongs to the community, as the message said

Hi, it does but the error persists

It is some error in the config. Wrong LDAP branch, or the user in not on LDAP. Check all the steps

There is a very good tool for troubleshooting LDAP issued called ldapsearch that you can use either on the gateway or the management to check if the module can do LDAP queries, and if the account and DN's you use are allowed to query the LDAP server.

You can search Secure Knowledge for "ldapsearch" and you will get multiple answers detailing different troubleshooting scenarios involving LDAP.

(For example sk100163, Endpoint Security Client fails to connect to VPN Site with "Negotiation with site failed" error
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)

Personally I also like to use the Windows tool, "Softerra LDAP Administrator" (Read/Write, costs money) or "Softerra LDAP Browser" (same tool, but Read Only and free for all usage) to troubleshoot LDAP issues as it gives you very good details about your LDAP catalog, and all the objects and attributes involved.

I also like to find the objects and DN's in "LDAP Browser" and do copy-past into my configuration, making sure that I haven't misspelled anything in the FQDN's etc.

Good luck!

Best regards,

Jonas

Hi
You can check the logs in the event viewer of the radius server.

If there is more than one network rule try to leave that rule at the top.

Have you run a tcpdump on the gateway or Wireshark capture on the RADIUS server to look at the attributes being passed back? If the server is not passing back the correct attribute the gateway cannot associate the user with a group (RAD_xyz) and therefore will say that the user is not part of the community. So you might be getting a RADIUS access accept from the RADIUS server but a group matching failure due to the wrong attribute.

Hi anybody has this error?

Yes, have seen the same message, something I need to investigate further but possibly just the user not responding to the Azure MFA prompt in time so the NPS Azure MFA extension times it out and reports so back to the event log.

I've raised a SR for our issues trying to get the RADIUS attributes to match the RAD_<attribute> group. tcpdump shows the correct type (26) being sent with the correct vendor code and values but the gateways appears to be failing to associate it with the group and therefore with the RA community. Initial response from TAC was that the configuration looked right.

Will schedule another test window to repeat the implementation and run a VPN debug.

i also opened a support, Microsoft found radius was correctly set, this error message according to Microsoft is generic and due a Checkpoint misconfiguration.

@DeletedUser can't you share a full procedure to connect Checkpoint VPN and Azure MFA, it is obviously causing problems

and the other VPN got their own procedure 🙂

I advise you to review your settings on the radius server.
Your type of authentication is like MS-CHAPv2, and see how my log looks. Authentication type: Extension.

Hi we finally found the problem, it was due to the secret shared key, Checkpoint doesn't accept special characters.

thanks all for the help

how do i switch the MFA from one time passcode to mobile app method?

This is set on the individual users Microsoft account. It is a user preference.

i have been able to get this working great with MFA but if a user is to "change logon option" on checkpoint vpn client they can bypass the MFA and simply connect with username /password credentials. Where would i find the setting to block this?

Good question nflnetwork29. I have the same problem. If the users are able to change between MFA and user + password on checkpoint mobile client the security layer is compromised. Did you manage to make this work? Regards

You can diable this by going to SmartConsole - > open the security gateway/cluster object - > under VPN cleint, select Authentication. On the right hand side panel, you would see "settings". Click on that and uncheck "Allow newer client that support multiple login options to use use auth mehod" 

Greetings,

Once authenticated in VPN, this issue don't have link with MFA.

Unauthorized SSL VPN Traffic is a traditional error and your cause it depend on about your configuration. Below are some SKs that are helpful.

SNX traffic is dropped with "Unauthorized SSL VPN traffic" (checkpoint.com)

After authentication to Mobile Access Blade, cannot access internal resources with error "Unauthoriz...
Traffic initiated from internal host towards SSL Network Extender client is dropped with "Unauthoriz...

Alisson Lima

We are all set now. I just want to share below URL which is very helpful for troubleshooting

Can you share with the community, what was the actual finding in your case? what was the issue, how did you fix it?

Some users are able to authenticate and access internal resources but some users are not able to authenticate. Getting message "Wrong username or password". It is saying "Unauthorized access" in smart log.

We gone through below document and there is one setting "control access through network policy" which needs to be enable in user property.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn