This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Khay
Participant
‎2023-01-03 06:06 AM
Jump to solution

Remote access MFA only work for users part of the Radius server domain

Hello,

 

I have a NPS server with plugin for Azure AD MFA, this server is part of domain fr.xxx.lan

when a user part of fr.xxx.lan domain use the vpn client to connect, it work as exprected.

when another user (test-be) part of be.xxx.lan try to connect it fail the (user unknow)

If i check the NPS log I can see the SAM-Account-Name and Fully-Qualifed-User-Name with FR\test-be

I understand that the vpn client didnt send the domain information and the radius "fill the blank" with is own domain

 

Actually I can't authenticate (standard or radius authentication) with username@domain

Is there a way to do so ? 

Is this the way to solve my issue ?

 

Thansk for you help

0 Kudos
1 Solution

Accepted Solutions
Duane_Toler
MVP Silver
MVP Silver
‎2023-01-09 06:46 AM
In response to Khay
Jump to solution

You can check a few other areas, depending on your configuration:

1. Check your LDAP AU object to see what is the "domain name" in the configuration.  This is used to verify usernames in the directory.

2. If you are using the newer Multiple Login Options on your gateway, check gateway properties -> VPN Clients -> Authentication and edit the login option being used.  In the User Directory section on the left, check what LDAP AU is being used as well as the user lookup value (sAMAccountName, userPrincipleName, etc.). 

 

I have a customer with NPS and Azure AD/MFA plugin.  They have to use the UPN to login (test-be@be.xxx.lan in your example) and I also enabled UPN as the lookup method (as I noted in #2 above).  However, this depends on the LDAP AU domain name, too.  With Azure AD/MFA plugin, *ALL* requests are immediately forwarded to Azure AD from the NPS server (this is an Azure AD plugin requirement, which I learned the hard way).  From the implementation I helped configure, this required the UPN name and is dependent on the Azure AD directory.

 

You can see further RADIUS lookup details with a vpn debug.  I would suggest you do this, too.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

View solution in original post

0 Kudos
4 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-01-03 07:22 AM
Jump to solution

Two suggestions to investigate further in consultation with TAC where required.

1. sk122477

2. R81.10 JHF T79:

PRJ-38144,PRHF-22814

Security Gateway

UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1.

 

 

CCSM R77/R80/ELITE
0 Kudos
Khay
Participant
‎2023-01-06 12:29 AM
In response to Chris_Atkinson
Jump to solution

Thanks Chris,

I tried to apply sk122477 with no succes, I think I need to specify the user's domain on the vpn client and for now i'm not able to do it.

I have contacted my local support and will update this post when I get more information.

 

 

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2023-01-09 06:46 AM
In response to Khay
Jump to solution

You can check a few other areas, depending on your configuration:

1. Check your LDAP AU object to see what is the "domain name" in the configuration.  This is used to verify usernames in the directory.

2. If you are using the newer Multiple Login Options on your gateway, check gateway properties -> VPN Clients -> Authentication and edit the login option being used.  In the User Directory section on the left, check what LDAP AU is being used as well as the user lookup value (sAMAccountName, userPrincipleName, etc.). 

 

I have a customer with NPS and Azure AD/MFA plugin.  They have to use the UPN to login (test-be@be.xxx.lan in your example) and I also enabled UPN as the lookup method (as I noted in #2 above).  However, this depends on the LDAP AU domain name, too.  With Azure AD/MFA plugin, *ALL* requests are immediately forwarded to Azure AD from the NPS server (this is an Azure AD plugin requirement, which I learned the hard way).  From the implementation I helped configure, this required the UPN name and is dependent on the Azure AD directory.

 

You can see further RADIUS lookup details with a vpn debug.  I would suggest you do this, too.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
Khay
Participant
‎2023-01-10 11:50 PM
In response to Duane_Toler
Jump to solution

Thanks Duane,

 

you were right its working when I set the UPN setting and use it to login

 

Thanks a lot 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events