Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jarvis_dantsrib
Explorer
Jump to solution

Problem opening the 2MFA screen with IDP using Secure Domain Logon (SDL) Windows

Hello,

I am facing an issue after implementing 2MFA with IDP in RA VPN on Windows with SDL enabled.

Before implementing the second authentication factor, login with SDL worked perfectly, however after implementing 2MFA it is not possible to connect to the VPN because the client makes a redirect to open a kind of plugin and start the IDP screen, that's where it happens the error, for some reason it does not open 2mfa directly on the client screen, it has to consult this plugin first and in my opinion the error occurs because it is not possible to consult the plugin because it is not yet logged into Windows.

If I log on to the machine and try to connect to the VPN, the operation occurs successfully and the 2nd factor opens the screen in the client itself without any problem, however this is the perception that I would like to have in SDL before logging into Windows and I am not having it .

I tried to use the SK https://support.checkpoint.com/results/sk/sk180395 to make some adjustments to the client, but without success, IDP_BROWSER was already enabled as embedded in the client itself, but I think there is some validation operation that it confirms with a third party for it to work, outside the client.

Is it possible for SDL to work with 2MFA with IDPs like Azure, Cisco DUO and others?

0 Kudos
(1)
1 Solution

Accepted Solutions
Alex-
Leader Leader
Leader

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

 

Known Limitations

  • Secure Domain Logon (SDL) with Identity Provider is not supported.

View solution in original post

6 Replies
the_rock
Legend
Legend

I cant open all the attachments, just the 1st one...is the only error negotiation with site failed? Did you try do zdebug on the firewall to see if anything is dropped when this happens?

Andy

0 Kudos
jarvis_dantsrib
Explorer

Hello the_rock,

These are the images I imported.

I ran zdebug but didn't see any traffic blocks.



imagem_2024-07-12_225254135.pngimagem_2024-07-12_225307489.pngWhatsApp Image 2024-07-12 at 22.03.12 (1).jpeg

0 Kudos
the_rock
Legend
Legend

If its urgent, I would contact TAC. Otherwise, would run basic vpn debugs.

Andy

0 Kudos
the_rock
Legend
Legend

Forgot to mention vpn debug steps.

Andy

*****************

 

vpn debug trunc

vpn debug ikeon

-do the test

vpn debug ikeoff

Look for iked and vpnd files in $FWDIR/log directory

0 Kudos
Alex-
Leader Leader
Leader

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

 

Known Limitations

  • Secure Domain Logon (SDL) with Identity Provider is not supported.

the_rock
Legend
Legend

Never seen that limitation before, thanks @Alex- !

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events