Re: REMOVE LOG IN OPTION FROM REMOTE ACCESS VPN

ikokkoris · ‎2023-11-24

Hello,

We have configured Identity Provider Authentication for remote access vpn users.

When we login with Check Point Mobile App for Windows we have the following options.

What we want is to remove the "Standard" login option.

At Gateway Cluster Properties -> VPN clients -> Authentication -> Multiple Auth Clients Settings the configuration is the below.

Thank you

the_rock · ‎2023-11-24

You can remove it from gateway properties, I cant recall what its called, I believe username/password, but will check later in the lab.

Andy

ikokkoris · ‎2023-11-24

Hello,

I can remove the username/password. The MFA becomes default authentication method, but "Standard" still remains.

I can't find any tab to remove it.

Thanks

the_rock · ‎2023-11-24

I believe this is what you need to uncheck.

Andy

ikokkoris · ‎2023-11-24

Hi Andy,

I have already done this without success. The Authentication method at your screenshot is the legacy one. We have configure it as "Username and Password", does it matter?

Thanks

G_W_Albrecht · ‎2023-11-24

Which Authentication method is presented after choosing Standard ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock · ‎2023-11-24

Can you please send screenshots of how thats configured? Please blur out any sensitive info. I know 100% this is possible, as I had done it before, just cant recall now exactly how...

Andy

ikokkoris · ‎2023-11-24

Sure. The current one is the below.

I did uncheck the box, as below, but the "Standard" authentication method still appears at the mobile client

the_rock · ‎2023-11-24

Here is what I just tested in the lab and worked fine, does NOT show standard in the list anywhere. I dont believe you would need to delete/re-create VPN site just for this, but to test that theory, you can have one user try and see result they get.

Kind regards,

Andy

the_rock · ‎2023-11-24

@ikokkoris Below is what I see.

Andy

ikokkoris · ‎2023-11-25

Hello,

Based on your test the authentication method must be "Defined on user record (legacy)". Unfortunatelly I cannot change the authentication from "Username and password" and I will explain why.

We have connected more than one domains with the firewall. In these domains there are same sam account names (eg test@domain1, test@domain2 etc). In this case with authentication method "Defined on user record (legacy)", when a vpn user enters credentials at the Mobile app, search takes place only in one domain.

However, I tested with authentication "Username and Password" and it works only if site is recreated. It this case "Standard" authentication method is disapperared. It is ok for my case.

Thank you very much for the assistance.

the_rock · ‎2023-11-25

In that case, maybe contact TAC and do remote session to find the best option. Its not really feasible to ask your users to delete/re-create the site. I know in the past, with one large cusotmer we have, couple of my colleagues had to do some modifications in trac.config file and push it via GPO to make things work.

Best regards,

Andy

ikokkoris · ‎2023-11-25

Sure. It would be very helpful if the site has not to be recreated.

I will contact TAC and come back with solution.

Thanks

the_rock · ‎2023-11-25

I think say if you had dozens of users, not a big deal, but if company has 100s of employees, its not a scalable "solution".

Let us know what TAC tells you.

Best regards,

Andy

ikokkoris · ‎2023-11-27

Hello,

Sure, I will come back with feedback.

I more question please.

Can I restrict remote access vpn access from Capsule VPN for mobile (Android & IOS) based on username that users login?

This is because, when Identity provider authentication is selected, 2MFA is not working in R81.10. This is gonna be solved in take 113(it is not recommended right now).

the_rock · ‎2023-11-27

Not that I know of. I would wait for jumbo to be recommended.

Andy

Are you a member of CheckMates?

REMOVE LOG IN OPTION FROM REMOTE ACCESS VPN