Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Mobile VPN for Windows Multiple Authentication options

Currently we have the Checkpoint Mobile for windows deployed, utilizing username+password with LDAP for login.

I'm wanting to implement 2FA, but with a staggered approach (start out with a small set of users).

I know that multiple authentication options are possible as per sk111583, however i'm a bit confused on the implementation.

Based on AD memberships I want one set of users to be on LDAP, and another set to be utilizing RADIUS (which will accept ldap credential, then go off to our 2FA server and do a push notification/PIN to cell, likely using DUO). I'm not sure if I can force the users into certain authentication types based off of LDAP roles, or if the options are presented on the client.

 

Any information on implementing this will be helpful

0 Kudos
14 Replies
Highlighted
Admin
Admin

What 2FA means in the context of sk111583 is that a user requires two different authentication mechanisms called directly by the Check Point gateway (e.g. Certificate + Password).
What you're describing is still effectively single factor from our perspective.
I believe you can create two different LDAP groups with the appropriate query to separate the LDAP only authentication versus the RADIUS authentication.
0 Kudos
Highlighted

I see your point on how the gateway would still see this as single auth.

 

I've created the additonal LDAP group already, however i'm not able to get those users to authenticate against radius instead of AD. As they are signing in wouldn't the checkpoint need to do its first authentication to determine what memberships the account has?

I'm finally getting the resources to set up a virtual lab, so I can trial a few setups without breaking prod.

 

If i enable multiple login options, as per sk111583, can I enable RADIUS and LDAP for the endpoint client so that the users  can choose which authentication method is used?

0 Kudos
Highlighted
Admin
Admin

If you enable multiple login options, it means two authentication methods can be used in serial (one after the other), not in parallel (either X or Y).
However, I think you can do what you need with an External User Profile, as described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
These objects cannot be created in R80.x SmartConsole, but can be created via the legacy SmartDashboard as described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
This should allow RADIUS users to specify they are using RADIUS to authenticate.

0 Kudos
Highlighted

Thanks for clearing the order up, I had thought it would be in parallel.

I was following the SKs you linked, however i'm not able to see the group tab, where I could add the user to a radius group.

2019-06-25_14h59_20.png

My understanding from the articles is that once I have this configured, I can log in with the name 'example@domain', and it will go against its defined authentication. Where would I put this new object, in the source of a policy rule?

 

Thank you

0 Kudos
Highlighted
Admin
Admin

This object is basically like a group and is used in the Access Policy similar to that.
You specify the authentication as RADIUS in the Authentication tab.
0 Kudos
Highlighted

It doesn't look like I can use the external user profile in the unified access policy, I can't find it as a valid source.

0 Kudos
Highlighted
Admin
Admin

@Royi_Priov are we missing something here?

0 Kudos
Highlighted
Employee
Employee

Hi David,

Rolling back a bit.

We do not have an option to configure an authentication realms for users based on their LDAP membership.

What @PhoneBoy meant regarding the serial part of the authentication is for the authentication factors within the authentication realms.

However, the realms themselves are independent, the user can choose which realm he would like to use in order to authenticate.

Does that satisfy your requirement? 

 

Thanks,

Netanel Cohen

Software Developer, Checkpoint

0 Kudos
Highlighted

Hi Netanel,

 

Sorry for the late reply, I was away for a long Canada Day weekend.

I think I understand. It looks like I can choose which authentication option here:

2019-07-03_10h34_44.png

 

would I just add additional login options here? How would I define which is the default?

2019-07-03_10h36_09.png

 

 

 

0 Kudos
Highlighted
Admin
Admin

Yes, and I think it's done by order.
0 Kudos
Highlighted

That ended up working for me, however there was one small problem.

 

I found that when I added two authentication options, all my clients on their next connections received a prompt to select an authentication option. If you close the prompt, you will not connect. If you select the 'choose authentication method' link in the prompt, Default is already selected, and they can close the window and connect. I don't get why they have to open and close the authentication methods for the default to be used. It's a minor problem, but when it impacts hundreds of users you get complaints.

 

 

0 Kudos
Highlighted
Participant

Hello Netanel,

Could you help me about this.

For RA vpn can I use in multiple authentication 2 mandatory option LDAP user name and pass and at the same time certificate that will be generated on ldap local radius server and what are steps to implement this? 

0 Kudos
Highlighted
Employee
Employee

Hi,

If I understood your request right your are willing to have an authentication realm which has 1 factor as user\pass and the other as certificate and you would like that only LDAP user will be able to connect using this realm.
Yes this is possible, we have a limitation which Certificate needs always to be the 1st factor.

You need to configure the CA which issued the certificate as a trusted CA in your environment(as always when working with external CA) and limit the user directory to the relevant LDAP object:


Capture.PNG

Highlighted
Participant

Thank you Cohen 

That is what I asked.

Also because we have R80.40 I found new option for machine authentication so I think its better solution.

0 Kudos