Greetings @PhoneBoy ,

Sorry for the late reply.

I followed the instructions via the YouTube link and the post on CheckMates, i'm pretty sure everything is configured properly on that part. The user generic* already existed in my configuration, i just double checked if everything is configured properly.

Following are screenshots of the generic* user configuration in attach.

I've also configured the part in the Identity Provider, in the "Multiple Login Options" then "User Directories", I've checked Manual Configuration and check marked "External user profiles". I've listed a screenshot of that too.

I did the same steps as in the YouTube video guide and CheckMates link and it looks like they have it working, while for me, i get the error listed above with no solution anywhere.

Regards

Did you try the steps in this SK? https://support.checkpoint.com/results/sk/sk170515 

Hi @PhoneBoy ,

I came across this SK and i checked my configuration in Global Properties->Remote Access->VPN Authentication->Encryption Algorithms. My configuration is the following listed in attach, currently using DH 14 , I've also tried DH 2, but to no avail, i got the same error.

Regards

The VPN client itself should provide some logs.
Any clues there? 
Also, since it was not stated, what version/JHF is the gateway and management?

I've found where the logs are, but unfortunately, i couldn't find some useful information for me at least since it's my first time ever configuring and using Check Point Mobile VPN, if you want, i can upload the logs so they can be looked at.

Also, the version/JHF of the management and gateway is R81.20 JHF 99.

Regards

What client version specifically?
And yes, logs would help.

Hi @PhoneBoy ,

Apologies for the late reply, as I've been busy with troubleshooting this issue. I've managed to fix this issue by selection the following option in Global Properties->Remote Access->VPN - Authentication and check marking "Support Legacy Authentication for SC (hybrid mode), L2TP (PAP), and Nokia clients (CRACK). (screenshot in attach)

Now logging in with Microsoft Authenticator works without any issues.

However, now I'm facing a different issue. The firewall rules I've configured according to the guides I've seen and read, are not working, to be more specific, the "Source" part isn't working. For some reason, my Check Point FW can't recognize my user being a part of the "IT" group in Entra which is listed as a Source in the FW rule, and because of this, there are no logs on the Check Point FW i've tried doing ping/RDP and so on.

I've tried various different approaches by using an Access Role as a Source (as I've seen in the guides). I've tried the following:

- Access Role with specific users - IT group from Entra

- Access Role with specific users - IT group from local AD

- Access Role with specific users - IT group as an Internal User Group object in Check Point FW

- Access Role with specific users - IT group as an LDAP group

In any of these scenarios, the FW rules don't work. I did a test using "Any" as a source, and the FW rules started working, which means, something is wrong with the configuration. If you have any ideas how to define the Access Role, please do so.

Regards

Entra ID groups have to be defined locally in order for them to be identified and used in the Access Policy.
More specifically, either Identity Tags or local user groups must be defined with the name EXT_ID_EntraIDRole (replace EntraIDRole with the role name exactly as capitalized in Azure).

Hi @PhoneBoy,

I didn't want to be specifically detailed in my previous post, but i think I've done and tried what you're suggesting me to do.

I have a FW rule configured (Firewall Rule attachment).

The object in Entra is called Informatika (screenshot in attach).

(I have an Access Role defined with the name "Informatika_AD" as source, and inside the Access Role in Users, I've tested this rule and object with a Internal User Group called EXT_ID_Informatika (screenshot in attach) and an Identity Tag of the Informatika group in Entra (screenshots in attach, you can verify the Object ID starts the same in the Entra screenshot and the Access Role Identity Tag screenshot).

I'm getting 0 hits on this rule at the moment every time i connect with Check Point Mobile (version E88.63 build 986105843), with the various methods I've defined above and what you've suggested me. Perhaps I'm still doing something wrong?

Regards

I will admit to not being an expert on EntraID, but you might want to make sure the relevant groups are being sent as part of the SAML Assertion sent to the gateway.
Possibly something like the following: https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=appui 

Otherwise, this is probably going to require TAC assistance to understand what's going on.

I opened a TAC case, but i got denied from TAC because they are not willing to assist with new solutions.

Could it be an issue that my on-prem AD group which is synced to Entra is a Security Group? I just tested and made a Microsoft 365 group directly in Entra, and configured it in the Access Role, but i still have 0 hits on my FW rule.

I'm honestly lost, i've tried over 100 different configurations, but i just can't seem to hit the right one..

In order for us to see the EntraID groups, they must be sent to us via the SAML Assertion that is sent after the user is authenticated.
Have you confirmed they are being sent correctly?

A couple things to investigate here:

• https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/debug-saml-sso-issues 
• https://support.checkpoint.com/results/sk/sk180543