Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ikokkoris
Contributor

Integration with Azure AD for remote access VPN

Dear all,

We would like to integrate our Checkpoint cluster with Azure AD.

At the time our client-based remote access vpn users are authenticated via on-premise AD. Client's version is E86.50. We would like to add O365 MFA to the vpn users. For this reason  we have to integrate our Checkpoint cluster (6400 appliances, R81.10 version) with Azure AD in order to authenticate remote users. I read a similar case in the community but our on-premise AD and the Azure AD are not synchronized (we have different domains). Also the solution of SAML authentication is not suitable for us.

Is there any way to implement this scenario?

Thank you in advance for your answers.

Ioannis

 

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

If you do not want to do SAML, the only other option is to integrate with RADIUS.
That means setting up a Network Policy Server: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-radius
It also means entering your fixed password plus your MFA number in the same password field.
The SAML approach is much more user friendly.

ikokkoris
Contributor

Hello,

Thank you for the reply. My concern for the scenario about NPS, is the usage of different domains in local and Azure AD environments. Do you think that it can still work?

PhoneBoy
Admin
Admin

Theoretically, you can set both up as authentication methods and use the Multiple Authentication Schemes.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont... 
How this will work in practice is a separate question.

0 Kudos
ikokkoris
Contributor

I will try that and come back with feedback. Thanx

0 Kudos
the_rock
Legend
Legend

I had customer try that with different domains couple of years ago and we must have spent 10 + hours with TAC and MS support on it, without success. I want to be positive and tell you it would work, but Im also being brutally honest when I say its highly unlikely it will work. Just my feedback about it.

0 Kudos
ikokkoris
Contributor

Appreciate your answer. My first thought was to integrate Azure AD with CP cluster and then users authenticate (through vpn Client) with O365 credentials but I am not sure it works.

0 Kudos
CheckPointerXL
Advisor
Advisor

I remember month ago that putting user/groups fetched from Azure AD object didn't worked. Is this fixed now?

 

thank you

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events