Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Shahar_Grober
Advisor
Jump to solution

Duo with Remote Access VPN (Client)

Hi, 

 

Is Duo + check Point integration support Remote Access VPN Client? 

according to the integration guide it supports only " Check Point Mobile Access"

https://duo.com/docs/checkpoint#configure-your-check-point-mobile-access-vpn 

I want to make sure it is supported or someone has experience with it before I start POC

 

1 Solution

Accepted Solutions
Jeff_Engel
Employee
Employee

It is supported.  Just completed a test recently if you need help with configuration. 

View solution in original post

24 Replies
Jeff_Engel
Employee
Employee

It is supported.  Just completed a test recently if you need help with configuration. 

Shahar_Grober
Advisor
Thanks Jeff, Is the documentation valid or some tweaks are needed?
Jeff_Engel
Employee
Employee

When integrating with the full client it is actually much simpler.  Simply define the auth method as Radius under VPN Clients > Authentication.

Duo handles the AD auth and the 2FA prompt assuming you are using their proxy.

You do not need to use any of the Mobile Access specific instructions mentioned.

Pro tip, do not use spaces in the RADIUS object name.  🙂

Hope this helps!

RS_Daniel
Advisor
hi, Shahar
We made a pair of DUO integrations with CheckPoint and it works exactly as the documentation says. The only cosideration I can name is that in a cluster scenario the radius requests arrived with real ip of active member to the DUO auth proxy, of course we tried with cluster virtual ip first but did not work, after a debug at DUO side we saw the behavior mentioned, so we had to use two radius_ip for both members IP's, tested with many failovers and worked fine. HTH
Tim_McColgan
Contributor

I am having a bear of a time setting this up, any tips would help. I just can't get the duo push to happen. 

My goal is to primary auth the user with LDAP then second auth with a duo push. Although the confusing part is there is RADIUS configuration required, even though I only want to use LDAP. Not sure I understand why but any configuration examples would be helpful!! 

Here is mine today:

 

[ad_client]
host=1.2.3.4 (AD server IP)
service_account_username=ad-admin
service_account_password=ad-admin-password
search_dn=DC=domain,DC=com
security_group_dn="CN=Duo Checkpoint VPN,OU=Groups,DC=domain,DC=com"

[radius_server_auto]
ikey=ikey_from_duo_console
skey=skey_from_duo_console
api_host=api-123456789.duosecurity.com
radius_ip_1=checkpoint_gw1
radius_ip_2=checkpoint_gw2
radius_secret_1=secret1
radius_secret_2=secret2
client=ad_client
port=1812
failmode=secure

Jeff_Engel
Employee
Employee

Hi @Tim_McColgan

Please share screenshots of your Radius server object and VPN Clients > Authentication settings...I tried to send my setup but they didn't come through.  See my attachments...

Also make sure you have usernames in Duo that match your AD users.

 
Tim_McColgan
Contributor

@Jeff_Engel Attached are my screenshots. I actually had a little different configuration in the VPN - authentication settings. But I corrected to match yours. 

Also confirmed user names in checkpoint match the user name in AD. 

Jeff_Engel
Employee
Employee

Thanks Tim.  The only thing that I have set differently in my authproxy.cfg is my failmode is set to 'safe'.  I would also run tcpdump on the active gateway(if in a cluster) and make sure you see the RADIUS request being made and being responded to by the Duo Proxy server.

Tim_McColgan
Contributor

@Jeff_Engel thank you. 

 

I ended up started from scratch and was getting ldap lookup errors in the duo proxy log. 

I made the assumption that since my AD lookup was using a group name with spaces, i.e. Duo Checkpoint Users, that I put the group in quotes in the authproxy config file such as:

 

security_group_dn=CN="Duo Checkpoint Users,OU=Groups,DC=example,DC=com"

 

On a whim, I removed the double quotes and it worked!!

 

security_group_dn=CN=Duo Checkpoint Users,OU=Groups,DC=example,DC=com

 

CheckPointerXL
Advisor
Advisor

Hello,

can i use access role? it is necessary to create the user inside check point management? i'm confused about this

i get error RADIUS servers not responding, but from the connectivity tool check everything is ok

Jeff_Engel
Employee
Employee

Where are you seeing the 'servers not responding' message?

Easy thing to check is to ensure the security gateways are not being blocked from communicating with the duo proxy server.  TCPDUMP is the best way from the gateways.

CheckPointerXL
Advisor
Advisor

hello jef,

just fixed, the server was blocking the fw requests despite ping working and empty iptables rule list. 

Disabling iptables fixed the issue.

thank you

Jeff_Engel
Employee
Employee

Great, thanks for the update!

jmay
Explorer

Hi,

I had the same problem, where I wasn't getting the needed push. Are you using a NPS server and if so is it located on your Duo proxy? If yes disable the NPS. I also discovered with help from Duo support that the section in your config file wasnt needed only the domain name was

try removing and save the config file restart duo services and see if you then get the needed push

security_group_dn="CN=Duo Checkpoint VPN,OU=Groups,DC=domain,DC=com" 

 

Also, to help confirm that you don't have any misconfigs or errors, make sure to run and check the connectivity tool and check logs. This tool will be ran from the command window as an administrator, if all green your radius server is in good shape. If you get any error make note and correct and re-run the test. 

 

for Windows:

"C:\Program Files\Duo Security Authentication Proxy\bin\authproxy_connectivity_tool.exe"

Linux:

sudo /opt/duoauthproxy/bin/authproxy_connectivity_tool

Last thing is to make sure the service account that you are using as the needed rights (read, write, list) 

 

Hope this helps. 

 

drick
Explorer

Do you know if DUO works with the checkpoint small business appliances? Have an open case right now for the checkpoint 790 appliance and we are unable to get this working. Support is saying only freeradius is known to work with the appliance?(checkpoint support) Even the latest 1500+ devices seem to have the same issue. Seems odd a supported appliance would only work with freeradius?

CP_Coldspring
Explorer

I wanted to reach out since this was just 2 months ago. I am working on this exact setup and my setup appears to be the same as yours. We are running R80.30 and the most up to date Mobile Access client. Duo proxy is on its own internal Server 2016 in the same VLAN as our AD server. Password changes worked before implementing Duo RADIUS but now running into issues.

We cannot get password changes to go through ever since setting up Duo Radius. Are you able to change passwords over VPN with your setup? I am working with support and have a TAC case open but not having luck getting it working.

 

Any information would be helpful.

Tim_McColgan
Contributor

@CP_Coldspring 

Hello, I will be honest we have not come across changing passwords over VPN - my guess is we will run into this eventually. However at this time I only have about a dozen users utilizing DUO for Checkpoint VPN as we are continuing to test. 

As of today users just change their passwords when they login to their machine when they are in the office and on the LAN (yes we are back in the office). I am assuming you are fully remote at this time. However, we are not. 

CP_Coldspring
Explorer

We are also back in the office for the most part. However we have sales staff based from their homes across the US which is where it came up from. We currently only have a small test group (mainly IT) enrolled in Duo. However since it is now used as the RADIUS server to authenticate all VPN users they are unable to change a password when connected to the VPN so we have had to instruct them to reconnect to the Cisco VPN client to change their passwords.

Sal-E
Participant

As of now the only way I found for password change and Duo Mobile to work is through Radius only

You need to allow Duo to authenticate the user in the AD via Radius and not LDAP

Once done; after password expiration the user will be prompt to change password on the VPN login screen.

After the password change they will receive a duo notification; if the new password meets the requirements they will reach the VPN screen if not they will go back to home screen to start over

Sal-E
Participant

As for now; The only way I found getting Change Password to work with Duo Mobile is to allow Duo to authenticate the user via Radius to the AD instead of LDAP or LDAPS

What needs to be done is to configure [radius_server_auto]; and add the line "client=radius_client"; and then configure [radius_client]

Once done, when a user connects to the VPN with an expired password; the user will be prompt to change the password.
After changing the password the user will receive a Duo notification that he will need to approve. Only then if the password meets the requirements the user will continue to the regular VPN screen otherwise he will go back to the login screen and attempt to change the password again

Vladimir
Champion
Champion

@Sal-E , what are you using as a RADIUS server in this scenario, MS NPS?

skandshus
Advisor
Advisor

It works. 🙂

 

using it my self

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events