- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi all!
I am trying to set up remote access MFA for a customer and have stumbled upon a problem:
I thought that it would be possible to set up multiple authentication methods and then configure which users or groups should use which method. For local users (created on the gateways) this seems to be no problem, but I cannot figure out how to do it for AD users also. I have reached a point where it seems that it is just not possible, but then found an older Post that states how it could be done:
Can someone here tell me if this works and does what I need?
I do not really understand how to configure these Accounting units or branches within...would it be possible to set up those for the same domain but different Groups?
You can create multiple groups for the same LDAP AU: https://support.checkpoint.com/results/sk/sk163477
Thank you! I think I understand now how I would create the units and groups.
Sadly I still do not understand how I could use them to change the required authentication method for some users or AD groups.
Would it be sufficient to create a new AU unit with a branch matching an AD-group and then adding that to the multiple login option setting mentioned in the link I posted?
I stumbled upon sk114882 and that might do the trick as well. I could not test it now though, but know of a customer of mine, who uses this to give different routing to users from different AD groups.
Lukily in my case, it turned out that we can use the RAIDUS to make that decision for us. Now we still face the problem that the local users also see the other Authentication Options in their Client, which makes no sense, as they only ever use "Username+Password". So now I search for a way to enforce this for local users (TAC case opened about that)
Not sure if that sk is relevant, but back when I had TAC case, that was in 2021, so sk was not even written : - )
If it works, great, let us know.
Andy
This was TAC response to me in the case from January 6th, 2022 and from what I heard, this is still not possible (sigh...disappointing)
Andy
***************************************************
Hello Andy,
After consulting with escalations, assigning specific users to desired authentication method in Check Point Multiple Login Options is not a supported feature yet, and there is already an existing RFE submitted for that. However, you can configure only RADIUS authentication, and have the RADIUS server determine who gets MFA or who does not, meaning configure the MFA on the RADIUS server/Using DUO or some other MFA services on the account itself instead of having the gateway to do the MFA.
Ouch, that is indeed disappointing.
The solution suggested in that answer would also be my preferred way of doing this, but in this case its just not possible, as the RADIUS service is part of a licensed product for the second factor (sms), and there are not yet enough licenses for all users who use VPN.
You are welcome to ask them, just to be sure.
Andy
Hi the_rock,
is it still not possible? or there's some progress on it?
I have a customer who wants the same thing.
enable MFA authentication on captive portal for specific user group, I mean to have both LDAP and MFA in parallel for authentication.
thank you!
Nothing changed, that I heard of. This is something customer ask about CONSTANTLY. I wish it was easy like with Fortinet, where you can do this, as well as do VPN geo blocking directly from web UI, with just few clicks, super easy.
Andy
Anyone with any news on this ?
I want my internal users to connect with username /password + Microsoft Authenticator and for external consultants to connect using username / password + 2FA sent by e-mail.
I can't find anything that could help me in this situation.
Running 81.20.
Your use case likely will be better-handled with the SAML connector to Entra ID and conditional access policies. You will need to do the varying MFA logic there rather than at the gateway.
My MFA is set up with Radius and not with Azure. I do not want to go the Azure way ! Should be a simple task for CP to allow authentication method based on group membership or some other AD attribute. We used custom attribute for DynamicID to send the SMS when we used SMS authentication ..
Hmmm , now I got an idea .. Just need to see if the SMS gateway is able to send mail il in the custom attribute I have an e-mail instead of a phone number 🙂 but then again this would mean my internal users would be able to do this.. must re think.
Yea, be careful with that approach.
Andy
Yes, I know ... therefore I am reluctant.
I was thinking a dirty workaround :
Configure 3 types of authentication :
This I think is doable...
💯 thats doable, BUT, not for different groups : - (
Well , when I was thinking group , I was thinking the group of people ... how I will configure this in the exchange is would be by tagging the "group" with some "SpecialAttribute" in AD and have exchange check that address field , if found , allow the mail , if not found .. block it or discard it.
I think it's at least a start until Checkpoint will implement a feature that will allow us to do this based on AD groups or tags or some kind of easy trick to do it in the gateway / cluster.
I would say, to me at least, logically, that makes sense.
Andy
Not everyone is Azure fanboy 🙂 thats why I don't wanna go azure way ... and I like complicated and unsolvable things 🙂
I will ask TAC also to implement such feature , as I can see we are not the only ones facing this issue.
I get it : -)
Back in 2023, when I had TAC case that went all the way to escalation team, I sent them below screenshot from my Fortinet lab to indicate feature customer was looking for, but thats when they told me this was not possible with CP. 2.5 years later, its disappointing its still not possible...
Andy
Hey George,
Last time I asked TAC about this 6 months ago, they did not have any news. Little disappointing this is not possible with CP...o well, what can you do.
Andy
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
3 | |
3 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY