This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Peter_Kenda1
Participant
‎2023-11-23 10:27 PM

Remote Access VPN client for Linux that support 2FA

Dear CheckMates, 

I have customer that can only use Linux for operating system. That customer have more offices, but primary work from home. On all the office we have SMB devices, which is locally managed. All the devices run Firmware R81.10.08. This firmware has options for 2FA which work good for Windows and MacOS clients. As I know for Linux OS there no Remote Access VPN clients, but you have two options:

- SNX

- libreSwan

The customer already uses SNX but when I turn on the 2FA this stop working. Is there any options that SNX support 2FA?

From the CheckPoint documentation I know that Two-Factor Authentication is not supported for libreSwan.

From the CheckPoint site I find this Specifications table (attachment) which say that Multi-factor Auth on Linux is supported.

Have any one some experience with RAS VPN Linux client in combination with 2FA/Multi-factor authentication?

Best regards, Peter

Preview file
25 KB
10 Replies
_Val_
Admin
Admin
‎2023-11-27 01:19 AM

libreSwan should work with 2FA, did you try it? 

0 Kudos
Peter_Kenda1
Participant
‎2023-11-27 01:23 AM
In response to _Val_

Hi Val, 

From the CheckPoint documentation https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T...

under the Known Limitations we can see Two-Factor Authentication is not supported.

Best regards, Peter

0 Kudos
_Val_
Admin
Admin
‎2023-11-27 01:28 AM
In response to Peter_Kenda1

Gotcha, missed that. I suggest you to open a TAC request to see what can be done.

0 Kudos
Peter_Kenda1
Participant
‎2023-11-27 04:02 AM
In response to _Val_

I do this. The first answer was:

https://support.checkpoint.com/results/sk/sk137732

Then second answer:

https://support.checkpoint.com/results/sk/sk105317

Then I try access to Mobile Access Portal through the browser, but also here I didn't find the field for second auth.

 

0 Kudos
_Val_
Admin
Admin
‎2023-11-27 04:06 AM
In response to Peter_Kenda1

Not sure I follow. Can you please elaborate?

0 Kudos
Peter_Kenda1
Participant
‎2023-11-27 04:23 AM
In response to _Val_

Open the ticket with support. The suggestion was sk137732 - 2FA (Factor Authentication) support for remote access VPN in locally managed SMB appliances. 

But we already turn on 2FA and with Windows VPN client work as should. On Linux over the CLI not work and I receive the second sk105317 - Unable to connect with SNX CLI client via Mobile Access Portal with Two Factor Authentication.

But Mobile Access Portal on SMB device? I can chose CheckPoint VPN clients, Mobile client, SSL VPN, Windows VPN client.

First opetion is related to CheckPoint VPN aplication, Second option is related only for Mobile devices (Androdi and iOS), third is for SNX and last again for windows environment.

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-27 08:00 AM
In response to Peter_Kenda1

The MAB Portal is not supported on SMB appliances.
Which means it cannot be used to prompt for the second factor.
This is probably an RFE (Request for Enhancement) and would need to be addressed through your local Check Point office.

0 Kudos
QuienSabe
Explorer
‎2024-04-19 03:37 AM
In response to PhoneBoy

Hi,

Is there any news on this issue?

I see several requests to get a Linux Client to connect to CheckPoint and also some that request 2FA in such a client but I always just see the standard answer "no, it is not supported". That's quite disappointing, especially with requests again and again that just seem to be ignored. Isn't CheckPoint interested in supporting people who use Linux at all?

 

(2)
PhoneBoy
Admin
Admin
‎2024-04-19 06:35 AM
In response to QuienSabe

We are continuing to enhance Harmony Endpoint on Linux and I believe a proper VPN client is planned as part of that.
No ETA, though.

If you need something for Linux today, I recommend checking out Harmony SASE, which has a VPN client for Linux: https://support.perimeter81.com/docs/linux-agent-release-notes 

QuienSabe
Explorer
‎2024-04-19 08:35 AM
In response to PhoneBoy

That sounds good. I hope it will include 2FA when it arrives.

The problem with checking out something else is that it is hard for most who need a client to convince their employers to switch to a different solution because some of the employees finally want to get rid of Windows.

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events