This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ikokkoris
Contributor
‎2023-11-24 02:51 AM

REMOVE LOG IN OPTION FROM REMOTE ACCESS VPN

Hello,

We have configured Identity Provider Authentication for remote access vpn users.

When we login with Check Point Mobile App for Windows we have the following options.

duo4.png

What we want is to remove the "Standard" login option. 

At Gateway Cluster Properties -> VPN clients -> Authentication -> Multiple Auth Clients Settings the configuration is the below. 

duo5.png

 

Thank you

 

0 Kudos
15 Replies
the_rock
MVP Gold
MVP Gold
‎2023-11-24 04:37 AM

You can remove it from gateway properties, I cant recall what its called, I believe username/password, but will check later in the lab.

Andy

0 Kudos
ikokkoris
Contributor
‎2023-11-24 04:55 AM
In response to the_rock

Hello,

I can remove the username/password. The MFA becomes default authentication method, but "Standard" still remains.

I can't find any tab to remove it.

Thanks

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-24 05:42 AM
In response to ikokkoris

I believe this is what you need to uncheck.

Andy

 

Screenshot_1.png

0 Kudos
ikokkoris
Contributor
‎2023-11-24 05:48 AM
In response to the_rock

Hi Andy,

I have already done this without success. The Authentication method at your screenshot is the legacy one. We have configure it as "Username and Password", does it matter?

Thanks

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-11-24 05:51 AM
In response to ikokkoris

Which Authentication method is presented after choosing Standard ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-24 05:54 AM
In response to ikokkoris

Can you please send screenshots of how thats configured? Please blur out any sensitive info. I know 100% this is possible, as I had done it before, just cant recall now exactly how...

Andy

0 Kudos
ikokkoris
Contributor
‎2023-11-24 06:06 AM
In response to the_rock

Sure. The current one is the below.

check1.png

check2.png

 I did uncheck the box, as below, but the "Standard" authentication method still appears at the mobile client  

check3.png

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-24 06:14 AM
In response to ikokkoris

Here is what I just tested in the lab and worked fine, does NOT show standard in the list anywhere. I dont believe you would need to delete/re-create VPN site just for this, but to test that theory, you can have one user try and see result they get.

 

Kind regards,

Andy

 

Screenshot_1.png

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-24 06:16 AM
In response to the_rock

@ikokkoris Below is what I see.

Andy

 

Screenshot_2.png

0 Kudos
ikokkoris
Contributor
‎2023-11-25 06:09 AM
In response to the_rock

Hello,

Based on your test the authentication method must be "Defined on user record (legacy)". Unfortunatelly I cannot change the authentication from "Username and password" and I will explain why.

We have connected more than one domains with the firewall. In these domains there are same sam account names (eg test@domain1, test@domain2 etc). In this case with authentication method  "Defined on user record (legacy)", when a vpn user enters credentials at the Mobile app, search takes place only in one domain.

However, I tested with authentication "Username and Password" and it works only if site is recreated. It this case "Standard" authentication method is disapperared. It is ok for my case.

Thank you very much for the assistance.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-25 06:13 AM
In response to ikokkoris

In that case, maybe contact TAC and do remote session to find the best option. Its not really feasible to ask your users to delete/re-create the site. I know in the past, with one large cusotmer we have, couple of my colleagues had to do some modifications in trac.config file and push it via GPO to make things work.

Best regards,

Andy

0 Kudos
ikokkoris
Contributor
‎2023-11-25 06:43 AM
In response to the_rock

Sure. It would be very helpful if the site has not to be recreated.

I will contact TAC and come back with solution.

Thanks

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-25 07:35 AM
In response to ikokkoris

I think say if you had dozens of users, not a big deal, but if company has 100s of employees, its not a scalable "solution".

Let us know what TAC tells you.

Best regards,

Andy

0 Kudos
ikokkoris
Contributor
‎2023-11-27 04:37 AM
In response to the_rock

Hello,

Sure, I will come back with feedback.

I more question please.

Can I restrict remote access vpn access from Capsule VPN for mobile (Android & IOS) based on username that users login?

This is because, when Identity provider authentication is selected, 2MFA is not working in R81.10. This is gonna be solved in take 113(it is not recommended right now). 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-27 04:40 AM
In response to ikokkoris

Not that I know of. I would wait for jumbo to be recommended.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events