This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oscar_David_Gom
Contributor
Contributor
‎2019-09-12 07:52 AM

Two factor authentication

Hi,

 

I need a little help. I want to apply a second authenticaiton factor to my C2S connections, actually the users connects to de VPN by Endpoint security VPN, they use their credentials from AD, now I want to set up a second factor using a RADIUS server that generates a token. Lets illustrate my scenario:

 

ScenarioScenario 

So the thing I want and hope is, Client communicates with FW, FW asks AD server for identities, then FW asks RADIUS for token and thats it, so what I configured is this:

Configure a new multiple options, first username, then RADIUS

azte2.png

1st factor configuration

azte3.png

2nd factor configuration

azte4.png

AND! is not working, after authenticate with AD, it asks for a user, I thought it was the token but wasn't, dont know if this is the correct configuration, can you help me on how to start the troubleshooting?

 

I read that there is some configuration that let me use pass+token, but i cant make it works, or maybe configure.

Thanks in advance.

0 Kudos
4 Replies
Nüüül
Advisor
Advisor
‎2019-09-12 07:59 AM

Hi,

 

so the vpn client is asking 1st for username and password, than for username and token/otp?

What solution do you use there? Where does that get it´s users, from AD? Do you see unsuccessful logins on the Radius Server? 

is the Gateway defined as Radius Client on the server?

Are you able to authenticate with otp using tools like NTRadping on your local machine?

Daniel

Oscar_David_Gom
Contributor
Contributor
‎2019-09-12 08:26 AM
In response to Nüüül

Hi

so the vpn client is asking 1st for username and password, than for username and token/otp?

Asking for user/pass, then for a user, no more.

What solution do you use there? Where does that get it´s users, from AD? Do you see unsuccessful logins on the Radius Server? 

A solution from NetIQ.

If you're talking about where the fw gets users, from AD, the Radius is just for generate the OTP, it should be getting users from de AD? 

Cannot confirm at this moment the logins on radius server

is the Gateway defined as Radius Client on the server?

AFAIK, yes.

Are you able to authenticate with otp using tools like NTRadping on your local machine?

No response.

 

Thanks

0 Kudos
Nüüül
Advisor
Advisor
‎2019-09-12 09:22 AM
In response to Oscar_David_Gom

Ok, when you then just enter the username again, you might get asked for the OTP, or something?

At NetIQ you have to configure a user store (they call it repository) to bind i.e. a token to a particular user. otherwise the solution cannot validate the token you entered. In most cases this solutions are using the Active Directory too. yes.

 

As I read, NetIQ is Linux based, you might want to check the logs mentioned here:

https://www.netiq.com/documentation/advanced-authentication-62/install-upgrade-guide/data/t45y9mnldg...

or here:

https://www.netiq.com/documentation/advanced-authentication-62/helpdesk-administrator-guide/data/mon...

if you get any failed requests.

 

Are you able to check if Config on NetIQ is OK?

https://www.netiq.com/documentation/advanced-authentication-62/server-administrator-guide/data/t4399... (yes it is saying fortinet, but that should not be that important here) check point should be defined here as Radius Client. Doublecheck the Pre Shared Key/Secret. if this is incorrect, authentication fails too.

 

 

Oscar_David_Gom
Contributor
Contributor
‎2019-09-12 11:31 AM
In response to Nüüül

Ok, when you then just enter the username again, you might get asked for the OTP, or something?

No, it just says, wrong username or pass. From this point, what you're saying about bind a user with a token from NetIQ is a very very posible reason, let me check that.

THANKS

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events