Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
anishtholath
Explorer

Remote access using Active Directory with Radius/Duo authentication

Hi,

I would like to know how we can enable remote access VPNs for all the users configured on our AD server. The users should be able to authenticate using the Duo/Radius server we have already in place.

Current setup as below: -

1. Create the User on smartconsole and configure authentication as Duo

2. Create Duo accounts

3. User login to their endpoint security client using AD credentials, receives a Duo push and authneticate themselves and connect the VPN

 

We want it to change so that the VPN user creation on the smartconsole is not required. Every new user in the AD should have the remote access VPN with duo authentication enabled.

 

Anish

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

What you need to create is an External User Profile.
Which isn't obvious because SmartConsole does not have this option.
It needs to be done with the legacy SmartDashboard client as described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
anishtholath
Explorer

Hi ,

Is there a detailed documentation on how to do this? What am i supposed to do with the external user profile?

0 Kudos
the_rock
Mentor
Mentor

Pretty simple. All you have to do is make sure that under gateway properties, vpn office mode, authentication -> and then under settings there, choose radius and select radius server you configured. As long as your radius communicates fine with the gateway, thats all you really need. Now, there is a document for radius auth with vpn clients (attached here). Phoneboy is correct as far as external user profile, but I can tell you that I never had to do that myself for Radius auth and worked fine every time. Message me privately if you wish and happy to do remote session to show you.

0 Kudos
anishtholath
Explorer

Hi, we already have radius configured which we are using to authenticate the vpn clients. what i want is to remove the necessity of creating the users on the firewall and instead let all the AD users connect using vpn clients and authenticate using duo/radius.

0 Kudos
Institut_fuer_R
Participant

Did you set duo up to have your AD users in correctly?

 

https://duo.com/docs/checkpoint

 

Because what you are describing is how it just usually works, if you follow that explication.