Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

Two RADIUS server for VPN authentication

Hi,

I want to use Cisco ISE as a central point of authentication for users, so I need to configure check point in such a way that it sends two radius request to ISE. First request should have username/password - ISE will send it to the AD for the 1st authentication. The second request should have username/token so it is sent to Duo for 2nd authentication.

I believe the only way how to do it is to leverage multiple login options so the VPN client presents two windows to users. I tried to setup two authentication factors on a gateway but it said that only one RADIUS server is allowed. Is it possible to somehow bypass this rule?

 

thank you

0 Kudos
2 Replies
Highlighted

Radius is based on challenge response, so configuring it one time is enough.

- First you enter username/password

- Check Point sends both to radius server (ISE)

- ISE matches username/password and asks for a challenge because of 2nd factor

- Check Point receives challenge and requests input of token

- Token is sent to ISE which issues a access-accept back if it is matching

0 Kudos
Highlighted
Explorer

Hi Norbert,

I am not quite sure whether I can configure ISE to request check point for the 2nd factor if 1st factor is successful.

0 Kudos