Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kryten
Collaborator

Multiple authentication methods for different user groups?

Hi all!

 

I am trying to set up remote access MFA for a customer and have stumbled upon a problem:

I thought that it would be possible to set up multiple authentication methods and then configure which users or groups should use which method. For local users (created on the gateways) this seems to be no problem, but I cannot figure out how to do it for AD users also. I have reached a point where it seems that it is just not possible, but then found an older Post that states how it could be done:

https://community.checkpoint.com/t5/Remote-Access-VPN/VPN-Remote-access-multiple-authentication/td-p...

 

Can someone here tell me if this works and does what I need?

I do not really understand how to configure these Accounting units or branches within...would it be possible to set up those for the same domain but different Groups?

 

0 Kudos
21 Replies
PhoneBoy
Admin
Admin

You can create multiple groups for the same LDAP AU: https://support.checkpoint.com/results/sk/sk163477 

Kryten
Collaborator

Thank you! I think I understand now how I would create the units and groups.

Sadly I still do not understand how I could use them to change the required authentication method for some users or AD groups.

Would it be sufficient to create a new AU unit with a branch matching an AD-group and then adding that to the multiple login option setting mentioned in the link I posted?

0 Kudos
Kryten
Collaborator

I stumbled upon sk114882 and that might do the trick as well. I could not test it now though, but know of a customer of mine, who uses this to give different routing to users from different AD groups.

Lukily in my case, it turned out that we can use the RAIDUS to make that decision for us. Now we still face the problem that the local users also see the other Authentication Options in their Client, which makes no sense, as they only ever use "Username+Password". So now I search for a way to enforce this for local users (TAC case opened about that)

0 Kudos
the_rock
MVP Gold
MVP Gold

Not sure if that sk is relevant, but back when I had TAC case, that was in 2021, so sk was not even written : - )

If it works, great, let us know.

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold

This was TAC response to me in the case from January 6th, 2022 and from what I heard, this is still not possible (sigh...disappointing)

Andy

 

***************************************************

 

Hello Andy, After consulting with escalations, assigning specific users to desired authentication method in Check Point Multiple Login Options is not a supported feature yet, and there is already an existing RFE submitted for that. However, you can configure only RADIUS authentication, and have the RADIUS server determine who gets MFA or who does not, meaning configure the MFA on the RADIUS server/Using DUO or some other MFA services on the account itself instead of having the gateway to do the MFA. 

0 Kudos
Kryten
Collaborator

Ouch, that is indeed disappointing.

The solution suggested in that answer would also be my preferred way of doing this, but in this case its just not possible, as the RADIUS service is part of a licensed product for the second factor (sms), and there are not yet enough licenses for all users who use VPN.

0 Kudos
the_rock
MVP Gold
MVP Gold

You are welcome to ask them, just to be sure.

Andy

0 Kudos
Spider_Solution
Explorer

Hi  the_rock,

is it still not possible? or there's some progress on it?

I have a customer who wants the same thing.

enable MFA authentication on captive portal for specific user group, I mean to have both LDAP and MFA in parallel for authentication.

thank you!

 

 

0 Kudos
the_rock
MVP Gold
MVP Gold

Nothing changed, that I heard of. This is something customer ask about CONSTANTLY. I wish it was easy like with Fortinet, where you can do this, as well as do VPN geo blocking directly from web UI, with just few clicks, super easy.

Andy

0 Kudos
George_Sas
Contributor

Anyone with any news on this ?
I want my internal users to connect with username /password + Microsoft Authenticator and for external consultants to connect using username / password + 2FA sent by e-mail.

I can't find anything that could help me in this situation.
Running 81.20.

 

0 Kudos
Duane_Toler
MVP Silver
MVP Silver

Your use case likely will be better-handled with the SAML connector to Entra ID and conditional access policies.  You will need to do the varying MFA logic there rather than at the gateway.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
George_Sas
Contributor

My MFA is set up with Radius and not with Azure. I do not want to go the Azure way ! Should be a simple task for CP to allow authentication method based on group membership or some other AD attribute. We used custom attribute for DynamicID to send the SMS when we used SMS authentication ..

Hmmm , now I got an idea .. Just need to see if the SMS gateway is able to send mail il in the custom attribute I have an e-mail instead of a phone number 🙂 but then again this would mean my internal users would be able to do this.. must re think.

(1)
the_rock
MVP Gold
MVP Gold

Yea, be careful with that approach.

Andy

0 Kudos
George_Sas
Contributor

Yes, I know ... therefore I am reluctant.
I was thinking a dirty workaround :
Configure 3 types of authentication :

  1. Username + Pass and SMS - for very few users that might not have access to Authenticator.
  2. Username + Pass and Authenticator
  3. Username + Pass + E-mail  (And block mails from Checkpoint towards internal users and only allow for defined user group) 

This I think is doable...



the_rock
MVP Gold
MVP Gold

💯 thats doable, BUT, not for different groups : - (

0 Kudos
George_Sas
Contributor

Well , when I was thinking group , I was thinking the group of people ... how I will configure this in the exchange is would be by tagging the "group" with some "SpecialAttribute" in AD and have exchange check that address field , if found , allow the mail , if not found .. block it or discard it.
I think it's at least a start until Checkpoint will implement a feature that will allow us to do this based on AD groups or tags or some kind of easy trick to do it in the gateway / cluster.

the_rock
MVP Gold
MVP Gold

I would say, to me at least, logically, that makes sense.

Andy

0 Kudos
George_Sas
Contributor

Not everyone is Azure fanboy 🙂 thats why I don't wanna go azure way ... and I like complicated and unsolvable things 🙂
I will ask TAC also to implement such feature , as I can see we are not the only ones facing this issue.

0 Kudos
the_rock
MVP Gold
MVP Gold

I get it : -)

0 Kudos
the_rock
MVP Gold
MVP Gold

Back in 2023, when I had TAC case that went all the way to escalation team, I sent them below screenshot from my Fortinet lab to indicate feature customer was looking for, but thats when they told me this was not possible with CP. 2.5 years later, its disappointing its still not possible...

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold

Hey George,

Last time I asked TAC about this 6 months ago, they did not have any news. Little disappointing this is not possible with CP...o well, what can you do.

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events