This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Karen_Askelson
Contributor
Contributor
‎2023-10-27 11:17 AM

Is it possible to use multiple authentication types for SSL VPN?

We currently have a standalone R81 server configured to use SSL VPN and authenticating to internal AD server via LDAP.  We now need to add Azure AD SAML authentication for some of the users.  Is it possible to have both configured and if so, how do we configure which users use which authentication?

Thanks in advance for any assistance!

Karen

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2023-10-27 04:35 PM

When you say SSL VPN, are you referring to Mobile Access Blade, SNX, Check Point Mobile, or?

0 Kudos
Karen_Askelson
Contributor
Contributor
‎2023-10-30 06:13 AM
In response to PhoneBoy

I'm currently using SNX with Identity Awareness for internal AD authentication.  I can use SNX or Mobile Access Blade for the Azure SAML authentication.

Thanks,

Karen

0 Kudos
Karen_Askelson
Contributor
Contributor
‎2023-10-30 01:14 PM
In response to Karen_Askelson

I ended up configuring the Mobile Access Blade with SNX.  I configured multiple logins (Standard, LDAP & SAML) and configured SNX on the mobile access blade to network mode only and configured office mode.  Now when I go to the SNX web page, it gives me the different login options and I choose Standard to log in with a local Check Point user and login successfully, but it goes to the application main page.  It never assigns an office mode IP or updates the routes on the client.  What am I missing?  I would like it to work like it did when configured under IPSec VPN.

0 Kudos
the_rock
Legend
Legend
‎2023-10-27 06:30 PM

Last time I asked this question in TAC case, they told me it was not possible. This was January of this year. I doubt it had changed since, but you can certainly open a case and ask.

Regards,

Andy

0 Kudos
Alex-
Advisor
Advisor
‎2023-10-28 02:06 AM

I believe you can just add SAML with a Mobile Access Identity provider and add it in the Multiple Login Options in the Mobile Access blade configuration.

If you keep the current AD scheme, users will get a drop-down list at login screen where there can switch between username/password and SAML.

0 Kudos
the_rock
Legend
Legend
‎2023-10-28 06:01 AM
In response to Alex-

Correct...BUT, here is the problem. While its 100% true you can do so and lots of customer do, issue is that to tie different auth method to different group, according to TAC is not possible, unlike you can do on Fortigate firewall, does not work same on CP.

They advised me about a year ago that this was something R&D was looking into, they even sent me an official email they got from esc team (see below)

Andy

 

CP actual response (January 2023)

 

Hello Andy, After consulting with escalations, assigning specific users to desired authentication method in Check Point Multiple Login Options is not a supported feature yet, and there is already an existing RFE submitted for that. However, you can configure only RADIUS authentication, and have the RADIUS server determine who gets MFA or who does not, meaning configure the MFA on the RADIUS server/Using DUO or some other MFA services on the account itself instead of having the gateway to do the MFA

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events