Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Antoine_BELLEC
Participant
Jump to solution

Remote access MFA only work for users part of the Radius server domain

Hello,

 

I have a NPS server with plugin for Azure AD MFA, this server is part of domain fr.xxx.lan

when a user part of fr.xxx.lan domain use the vpn client to connect, it work as exprected.

when another user (test-be) part of be.xxx.lan try to connect it fail the (user unknow)

If i check the NPS log I can see the SAM-Account-Name and Fully-Qualifed-User-Name with FR\test-be

I understand that the vpn client didnt send the domain information and the radius "fill the blank" with is own domain

 

Actually I can't authenticate (standard or radius authentication) with username@domain

Is there a way to do so ? 

Is this the way to solve my issue ?

 

Thansk for you help

0 Kudos
1 Solution

Accepted Solutions
Duane_Toler
Advisor

You can check a few other areas, depending on your configuration:

1. Check your LDAP AU object to see what is the "domain name" in the configuration.  This is used to verify usernames in the directory.

2. If you are using the newer Multiple Login Options on your gateway, check gateway properties -> VPN Clients -> Authentication and edit the login option being used.  In the User Directory section on the left, check what LDAP AU is being used as well as the user lookup value (sAMAccountName, userPrincipleName, etc.). 

 

I have a customer with NPS and Azure AD/MFA plugin.  They have to use the UPN to login (test-be@be.xxx.lan in your example) and I also enabled UPN as the lookup method (as I noted in #2 above).  However, this depends on the LDAP AU domain name, too.  With Azure AD/MFA plugin, *ALL* requests are immediately forwarded to Azure AD from the NPS server (this is an Azure AD plugin requirement, which I learned the hard way).  From the implementation I helped configure, this required the UPN name and is dependent on the Azure AD directory.

 

You can see further RADIUS lookup details with a vpn debug.  I would suggest you do this, too.

 

View solution in original post

0 Kudos
4 Replies
Chris_Atkinson
Employee Employee
Employee

Two suggestions to investigate further in consultation with TAC where required.

1. sk122477

2. R81.10 JHF T79:

PRJ-38144,PRHF-22814

Security Gateway

UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1.

 

 

CCSM R77/R80/ELITE
0 Kudos
Antoine_BELLEC
Participant

Thanks Chris,

I tried to apply sk122477 with no succes, I think I need to specify the user's domain on the vpn client and for now i'm not able to do it.

I have contacted my local support and will update this post when I get more information.

 

 

0 Kudos
Duane_Toler
Advisor

You can check a few other areas, depending on your configuration:

1. Check your LDAP AU object to see what is the "domain name" in the configuration.  This is used to verify usernames in the directory.

2. If you are using the newer Multiple Login Options on your gateway, check gateway properties -> VPN Clients -> Authentication and edit the login option being used.  In the User Directory section on the left, check what LDAP AU is being used as well as the user lookup value (sAMAccountName, userPrincipleName, etc.). 

 

I have a customer with NPS and Azure AD/MFA plugin.  They have to use the UPN to login (test-be@be.xxx.lan in your example) and I also enabled UPN as the lookup method (as I noted in #2 above).  However, this depends on the LDAP AU domain name, too.  With Azure AD/MFA plugin, *ALL* requests are immediately forwarded to Azure AD from the NPS server (this is an Azure AD plugin requirement, which I learned the hard way).  From the implementation I helped configure, this required the UPN name and is dependent on the Azure AD directory.

 

You can see further RADIUS lookup details with a vpn debug.  I would suggest you do this, too.

 

0 Kudos
Antoine_BELLEC
Participant

Thanks Duane,

 

you were right its working when I set the UPN setting and use it to login

 

Thanks a lot 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events