Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Karen_Askelson
Contributor
Contributor

Is it possible to use multiple authentication types for SSL VPN?

We currently have a standalone R81 server configured to use SSL VPN and authenticating to internal AD server via LDAP.  We now need to add Azure AD SAML authentication for some of the users.  Is it possible to have both configured and if so, how do we configure which users use which authentication?

Thanks in advance for any assistance!

Karen

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

When you say SSL VPN, are you referring to Mobile Access Blade, SNX, Check Point Mobile, or?

0 Kudos
Karen_Askelson
Contributor
Contributor

I'm currently using SNX with Identity Awareness for internal AD authentication.  I can use SNX or Mobile Access Blade for the Azure SAML authentication.

Thanks,

Karen

0 Kudos
Karen_Askelson
Contributor
Contributor

I ended up configuring the Mobile Access Blade with SNX.  I configured multiple logins (Standard, LDAP & SAML) and configured SNX on the mobile access blade to network mode only and configured office mode.  Now when I go to the SNX web page, it gives me the different login options and I choose Standard to log in with a local Check Point user and login successfully, but it goes to the application main page.  It never assigns an office mode IP or updates the routes on the client.  What am I missing?  I would like it to work like it did when configured under IPSec VPN.

0 Kudos
the_rock
Legend
Legend

Last time I asked this question in TAC case, they told me it was not possible. This was January of this year. I doubt it had changed since, but you can certainly open a case and ask.

Regards,

Andy

0 Kudos
Alex-
Leader Leader
Leader

I believe you can just add SAML with a Mobile Access Identity provider and add it in the Multiple Login Options in the Mobile Access blade configuration.

If you keep the current AD scheme, users will get a drop-down list at login screen where there can switch between username/password and SAML.

0 Kudos
the_rock
Legend
Legend

Correct...BUT, here is the problem. While its 100% true you can do so and lots of customer do, issue is that to tie different auth method to different group, according to TAC is not possible, unlike you can do on Fortigate firewall, does not work same on CP.

They advised me about a year ago that this was something R&D was looking into, they even sent me an official email they got from esc team (see below)

Andy

 

CP actual response (January 2023)

 

Hello Andy, After consulting with escalations, assigning specific users to desired authentication method in Check Point Multiple Login Options is not a supported feature yet, and there is already an existing RFE submitted for that. However, you can configure only RADIUS authentication, and have the RADIUS server determine who gets MFA or who does not, meaning configure the MFA on the RADIUS server/Using DUO or some other MFA services on the account itself instead of having the gateway to do the MFA

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events