This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kryten
Collaborator
‎2023-09-07 08:43 AM

Multiple authentication methods for different user groups?

Hi all!

 

I am trying to set up remote access MFA for a customer and have stumbled upon a problem:

I thought that it would be possible to set up multiple authentication methods and then configure which users or groups should use which method. For local users (created on the gateways) this seems to be no problem, but I cannot figure out how to do it for AD users also. I have reached a point where it seems that it is just not possible, but then found an older Post that states how it could be done:

https://community.checkpoint.com/t5/Remote-Access-VPN/VPN-Remote-access-multiple-authentication/td-p...

 

Can someone here tell me if this works and does what I need?

I do not really understand how to configure these Accounting units or branches within...would it be possible to set up those for the same domain but different Groups?

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2023-09-08 07:43 PM

You can create multiple groups for the same LDAP AU: https://support.checkpoint.com/results/sk/sk163477 

0 Kudos
Kryten
Collaborator
‎2023-09-11 06:56 AM
In response to PhoneBoy

Thank you! I think I understand now how I would create the units and groups.

Sadly I still do not understand how I could use them to change the required authentication method for some users or AD groups.

Would it be sufficient to create a new AU unit with a branch matching an AD-group and then adding that to the multiple login option setting mentioned in the link I posted?

0 Kudos
Kryten
Collaborator
‎2023-09-18 07:27 AM
In response to Kryten

I stumbled upon sk114882 and that might do the trick as well. I could not test it now though, but know of a customer of mine, who uses this to give different routing to users from different AD groups.

Lukily in my case, it turned out that we can use the RAIDUS to make that decision for us. Now we still face the problem that the local users also see the other Authentication Options in their Client, which makes no sense, as they only ever use "Username+Password". So now I search for a way to enforce this for local users (TAC case opened about that)

0 Kudos
the_rock
Legend
Legend
‎2023-09-18 07:37 AM
In response to Kryten

Not sure if that sk is relevant, but back when I had TAC case, that was in 2021, so sk was not even written : - )

If it works, great, let us know.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-09-11 06:59 AM

This was TAC response to me in the case from January 6th, 2022 and from what I heard, this is still not possible (sigh...disappointing)

Andy

 

***************************************************

 

Hello Andy, After consulting with escalations, assigning specific users to desired authentication method in Check Point Multiple Login Options is not a supported feature yet, and there is already an existing RFE submitted for that. However, you can configure only RADIUS authentication, and have the RADIUS server determine who gets MFA or who does not, meaning configure the MFA on the RADIUS server/Using DUO or some other MFA services on the account itself instead of having the gateway to do the MFA. 

0 Kudos
Kryten
Collaborator
‎2023-09-11 07:16 AM
In response to the_rock

Ouch, that is indeed disappointing.

The solution suggested in that answer would also be my preferred way of doing this, but in this case its just not possible, as the RADIUS service is part of a licensed product for the second factor (sms), and there are not yet enough licenses for all users who use VPN.

0 Kudos
the_rock
Legend
Legend
‎2023-09-11 07:17 AM
In response to Kryten

You are welcome to ask them, just to be sure.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events