This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
orion_son30
Contributor
‎2022-02-11 06:21 AM
Jump to solution

MFA for some VPN users

Hi,

We've enabled MFA with SMS provider in the Remote Access VPN of one of our end customers. Everything is working fine, but our customer wants to know if it is possible to disable the MFA for a particular User or a particular Group of Users.

Our users are internal on the Check Point Gateways, so we don't have an Active Directory server to validate the users credentials. We have the MFA configured with Username and Password + SMS Provider for all the internal users. We would like to have a particular user (Failsafe user, if the SMS Provider fails) without MFA. Is it possible?

Thanks in advance for your help.

Regards

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2022-02-12 04:32 AM
In response to orion_son30
Jump to solution

Correct, Im pretty sure you cannot do that, unless you use one generic auth method, in which case users wont have a choice. There might be some way of doing this by modifying trac.defaults file, but I would confirm with TAC, to be certain.

Andy

View solution in original post

0 Kudos
8 Replies
the_rock
Legend
Legend
‎2022-02-11 08:26 AM
Jump to solution

If you are not using AD to validate users and they are all local, sounds like the only way to do this would be to modify the individual user by modifying auth method once you edit the user in dashboard.

0 Kudos
orion_son30
Contributor
‎2022-02-11 08:43 AM
In response to the_rock
Jump to solution

Hi the_rock,

But how can I differentiate the users that will require MFA on the VPN from users that will not need that with the auth method?

I'm not following when you say that I can achieve this with auth method.

Regards

0 Kudos
the_rock
Legend
Legend
‎2022-02-11 08:57 AM
In response to orion_son30
Jump to solution

No problem, Im simply referring to below when you edit the user in smart console. 

 
 

Screenshot_1.png

 

0 Kudos
orion_son30
Contributor
‎2022-02-11 09:18 AM
In response to the_rock
Jump to solution

Hi @the_rock 

I know the place of the configuration on the Smart Console.

But I think that will still not help me to achieve what the end customer wants. So, let says that we have User_A and User_B, both of them local within the Gateways and with priviledges to login on the Remote Access VPN. Then, I want that the User_A only can connect on the VPN with his credentials (Username and Password) on the Authentication Profile with MFA, but not on the Authentication Profile without MFA. Also, I want that the User_B can connect in both of the Authentication Profiles with or without MFA.

I hope I explained better what we need. And sorry If I was not clear on the first place.

Regards 

0 Kudos
the_rock
Legend
Legend
‎2022-02-11 09:48 AM
In response to orion_son30
Jump to solution

Message me privately, lets do remote session.

0 Kudos
the_rock
Legend
Legend
‎2022-02-11 10:01 AM
In response to orion_son30
Jump to solution

If you are referring to below setting, that has to be changed manually, UNLESS you use just one generic auth method on gateway

Screenshot_1.png

0 Kudos
orion_son30
Contributor
‎2022-02-12 01:43 AM
In response to the_rock
Jump to solution

Hi @the_rock 

 

That is exactly what I'm talking about. So, at the end of the day, the end users will always have the possibility to change that option, because we've two possible options for the authentication (Username/Password only, Username/Password + SMS).

As far as I known, I cannot disable that option in the VPN client of the end users. Also, I cannot avoid centrally that a end user successfully login in both authentication schemes.

Regards   

the_rock
Legend
Legend
‎2022-02-12 04:32 AM
In response to orion_son30
Jump to solution

Correct, Im pretty sure you cannot do that, unless you use one generic auth method, in which case users wont have a choice. There might be some way of doing this by modifying trac.defaults file, but I would confirm with TAC, to be certain.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events