Multiple authentication methods for different user...

Kryten · ‎2023-09-07

Hi all!

I am trying to set up remote access MFA for a customer and have stumbled upon a problem:

I thought that it would be possible to set up multiple authentication methods and then configure which users or groups should use which method. For local users (created on the gateways) this seems to be no problem, but I cannot figure out how to do it for AD users also. I have reached a point where it seems that it is just not possible, but then found an older Post that states how it could be done:

https://community.checkpoint.com/t5/Remote-Access-VPN/VPN-Remote-access-multiple-authentication/td-p...

Can someone here tell me if this works and does what I need?

I do not really understand how to configure these Accounting units or branches within...would it be possible to set up those for the same domain but different Groups?

PhoneBoy · ‎2023-09-08

You can create multiple groups for the same LDAP AU: https://support.checkpoint.com/results/sk/sk163477

Kryten · ‎2023-09-11

Thank you! I think I understand now how I would create the units and groups.

Sadly I still do not understand how I could use them to change the required authentication method for some users or AD groups.

Would it be sufficient to create a new AU unit with a branch matching an AD-group and then adding that to the multiple login option setting mentioned in the link I posted?

Kryten · ‎2023-09-18

I stumbled upon sk114882 and that might do the trick as well. I could not test it now though, but know of a customer of mine, who uses this to give different routing to users from different AD groups.

Lukily in my case, it turned out that we can use the RAIDUS to make that decision for us. Now we still face the problem that the local users also see the other Authentication Options in their Client, which makes no sense, as they only ever use "Username+Password". So now I search for a way to enforce this for local users (TAC case opened about that)

the_rock · ‎2023-09-18

Not sure if that sk is relevant, but back when I had TAC case, that was in 2021, so sk was not even written : - )

If it works, great, let us know.

Andy

the_rock · ‎2023-09-11

This was TAC response to me in the case from January 6th, 2022 and from what I heard, this is still not possible (sigh...disappointing)

Andy

***************************************************

Hello Andy, After consulting with escalations, assigning specific users to desired authentication method in Check Point Multiple Login Options is not a supported feature yet, and there is already an existing RFE submitted for that. However, you can configure only RADIUS authentication, and have the RADIUS server determine who gets MFA or who does not, meaning configure the MFA on the RADIUS server/Using DUO or some other MFA services on the account itself instead of having the gateway to do the MFA.

Kryten · ‎2023-09-11

Ouch, that is indeed disappointing.

The solution suggested in that answer would also be my preferred way of doing this, but in this case its just not possible, as the RADIUS service is part of a licensed product for the second factor (sms), and there are not yet enough licenses for all users who use VPN.

the_rock · ‎2023-09-11

You are welcome to ask them, just to be sure.

Andy

Spider_Solution · ‎2024-05-15

Hi the_rock,

is it still not possible? or there's some progress on it?

I have a customer who wants the same thing.

enable MFA authentication on captive portal for specific user group, I mean to have both LDAP and MFA in parallel for authentication.

thank you!

the_rock · ‎2024-05-15

Nothing changed, that I heard of. This is something customer ask about CONSTANTLY. I wish it was easy like with Fortinet, where you can do this, as well as do VPN geo blocking directly from web UI, with just few clicks, super easy.

Andy

Multiple authentication methods for different user groups?

Multiple authentication methods for different user groups?

Are you a member of CheckMates?

Multiple authentication methods for different user groups?

Multiple authentication methods for different user groups?