Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ikokkoris
Contributor

REMOVE LOG IN OPTION FROM REMOTE ACCESS VPN

Hello,

We have configured Identity Provider Authentication for remote access vpn users.

When we login with Check Point Mobile App for Windows we have the following options.

duo4.png

What we want is to remove the "Standard" login option. 

At Gateway Cluster Properties -> VPN clients -> Authentication -> Multiple Auth Clients Settings the configuration is the below. 

duo5.png

 

Thank you

 

0 Kudos
15 Replies
the_rock
Legend
Legend

You can remove it from gateway properties, I cant recall what its called, I believe username/password, but will check later in the lab.

Andy

0 Kudos
ikokkoris
Contributor

Hello,

I can remove the username/password. The MFA becomes default authentication method, but "Standard" still remains.

I can't find any tab to remove it.

Thanks

0 Kudos
the_rock
Legend
Legend

I believe this is what you need to uncheck.

Andy

 

Screenshot_1.png

0 Kudos
ikokkoris
Contributor

Hi Andy,

I have already done this without success. The Authentication method at your screenshot is the legacy one. We have configure it as "Username and Password", does it matter?

Thanks

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Which Authentication method is presented after choosing Standard ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

Can you please send screenshots of how thats configured? Please blur out any sensitive info. I know 100% this is possible, as I had done it before, just cant recall now exactly how...

Andy

0 Kudos
ikokkoris
Contributor

Sure. The current one is the below.

check1.png

check2.png

 I did uncheck the box, as below, but the "Standard" authentication method still appears at the mobile client  

check3.png

0 Kudos
the_rock
Legend
Legend

Here is what I just tested in the lab and worked fine, does NOT show standard in the list anywhere. I dont believe you would need to delete/re-create VPN site just for this, but to test that theory, you can have one user try and see result they get.

 

Kind regards,

Andy

 

Screenshot_1.png

0 Kudos
the_rock
Legend
Legend

@ikokkoris Below is what I see.

Andy

 

Screenshot_2.png

0 Kudos
ikokkoris
Contributor

Hello,

Based on your test the authentication method must be "Defined on user record (legacy)". Unfortunatelly I cannot change the authentication from "Username and password" and I will explain why.

We have connected more than one domains with the firewall. In these domains there are same sam account names (eg test@domain1, test@domain2 etc). In this case with authentication method  "Defined on user record (legacy)", when a vpn user enters credentials at the Mobile app, search takes place only in one domain.

However, I tested with authentication "Username and Password" and it works only if site is recreated. It this case "Standard" authentication method is disapperared. It is ok for my case.

Thank you very much for the assistance.

0 Kudos
the_rock
Legend
Legend

In that case, maybe contact TAC and do remote session to find the best option. Its not really feasible to ask your users to delete/re-create the site. I know in the past, with one large cusotmer we have, couple of my colleagues had to do some modifications in trac.config file and push it via GPO to make things work.

Best regards,

Andy

0 Kudos
ikokkoris
Contributor

Sure. It would be very helpful if the site has not to be recreated.

I will contact TAC and come back with solution.

Thanks

0 Kudos
the_rock
Legend
Legend

I think say if you had dozens of users, not a big deal, but if company has 100s of employees, its not a scalable "solution".

Let us know what TAC tells you.

Best regards,

Andy

0 Kudos
ikokkoris
Contributor

Hello,

Sure, I will come back with feedback.

I more question please.

Can I restrict remote access vpn access from Capsule VPN for mobile (Android & IOS) based on username that users login?

This is because, when Identity provider authentication is selected, 2MFA is not working in R81.10. This is gonna be solved in take 113(it is not recommended right now). 

0 Kudos
the_rock
Legend
Legend

Not that I know of. I would wait for jumbo to be recommended.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events