Thanks for the quick response and sorry for the slow reply...

I should not have said endpoint since that is a CP product. I meant in general the CP VPN client. Although we are going to be deploying Endpoint Security in the future, we are currently dealing with connecting to an embedded GAIA device via the CP mobile VPN client for Windows. Are there settings on the gateway or management, through policy or db edits, where we can disable the credential caching? 

When testing, I login using my credentials which includes using Duo for 2FA. The Duo 2FA should not be an issue since it's a proxy between the CP gateway and the LDAP server. The CP gateway sends the LDAP request to the Duo proxy which then forwards that request to the LDAP server. Once the Duo proxy receives the successful LDAP response it will hold that response and reach out to the Duo service for the 2FA push. Once it receives the successful 2FA authentication for the user then it will release the successful LDAP auth response to the CP gateway.

I wanted to give a quick overview of the LDAP/2FA before because we only get the Duo 2FA on the initial connection. After that initial connection, the CP VPN authenticates without ever hitting the Duo proxy. Since we do not get that Duo 2FA prompt, I know it's using cached credentials.

2FA is a requirement, so we have to find a way to stop this CP VPN from caching the credentials with something besides an Endpoint Security setting.

Any ideas?

There are a couple of Global Properties that may be relevant here.

First it looks like there is an "Allow caching of static passwords on client" property here:

There also appears to be an "Enable password caching" option on this screen:

Obviously if these settings are different than what's shown, a policy push will be required for all gateways.

If you have these settings as shown and it's still not working, I recommend opening a ticket with the TAC.

Heath,

Can you confirm if this fixed the problem for you? I'm having very similar issues with trying to implement Duo via an LDAP proxy. Initial login generates 2FA challenge, subsequent logins don't. On top of it all, after some time goes by (hard to pin down exactly how long, could be minutes, could be hours), even primary authentication stops working. If I look in the logs of the Duo proxy, there aren't even attempts being logged, which makes it look like Check Point just isn't even sending the requests in. Some users (again, seemingly random) continue to work while others fail. The ones that work all show up in the Duo logs. The ones that don't, there isn't even an attempt logged in Duo. The Duo is the only server in my LDAP account unit within Check Point, so the requests shouldn't be getting forwarded anywhere else.

Thanks!

After hashing things out it turns out that Duo was having issues with the LDAP pass thru. We swapped to using NPS/RADIUS and Duo works. Support guy from Duo said they have multiple people have issues with LDAP and the Duo proxy. Not sure if that is fixed but we don't use LDAP with the Duo proxy anymore and it's working great.

Thanks for the fast reply! I have an open case now with CP support to try and figure out getting LDAP working, but I was starting to wonder if I should just fall back to RADIUS. Sounds like that's definitely a viable option.

One of my concerns with changing to RADIUS was losing the ability to use AD group membership for defining access in the Mobile Access policy. Are you still able to do that with RADIUS authentication?

Not via passing back the attribute class via the NPS/RADIUS...even though it says you can do that in the documentation we've tried and it does not work. Our basic setup is that we use the RADIUS for 2FA and the NPS is setup to authenticate the user is in the appropriate AD group. This allows the VPN to connect and then we use Identity Awareness for the access via roles. We are still working out the kinks to be honest and this is still in testing. We should be moving into production at the end of this year as we are migrating off a Cisco AnyConnect solution that works like advertised. We have had many headaches with CP Mobile Access VPN but I think that is because we are so used to using the Cisco AnyConnect and there are a lot of differences in the way the two function that we are still wrapping our head around. Hopefully this helps!