Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Using MS Active Directory for remote access VPN

Hi everyone,

I totally lost in number of somewhat conflicting documentation and community topics and would be grateful if you can help me.

1. We are on R80.10 version SMS and gateways

3. IP Sec VPN,  Mobile access and Identity awareness blades are enabled

 2. We are using Check Point Mobile for Windows client and presently users are created locally.

 3. Local users are also assigned to users groups and user groups assigned to users roles that used in access rules to         distinguish what users can and cannot access

 4. I need to move to authenticate users against Microsoft AD and also to use AD user group user belongs to in MS AD in access rules for remote access VPN - i.e. some sort of authorization.

5. Do I need user directory license if I just want to enable remote VPN authentication against AD? There is no any MS AD management from Check Point side, just querying AD for user presence and if password is valid. 

6. What about using MS AD user group user belongs to in access rules? During initial setup for Mobile access I said that I don't want to use AD integration.

7. To make things more complicated, I need then to move to Radius authentication with soft RSA token and still be able to query MS AD for a user group connecting user belongs to to be able to use AD group in access rules.

 

Your help is really appreciated!

4 Replies
Highlighted

Point 7 ... is relevant for me. How do you proceed to implement this configuration ?

Simon
0 Kudos
Highlighted

2 factor authentication works fine when you do not use secondary connect. When you do use it the client will prompt you for each gateway your client connects to, to authenticate again for each gateway.
Regards, Maarten
0 Kudos
Highlighted

Thanks for your reply. I agree your point about the secondary connect. My questioning is more about the feasibility of our new configuration.

What I'm expecting :
1- Authenticate RA user (Radius gemalto) with full UPN (xxx@xxx.xxx) - Working at this time ... secondly using this RA user newly authenticated in ...
2- Many Access role based on group membership (IA - AD query) to permit access to specific internal resources.

At this time, it seems that the AccessRole rule doesn't trap the user because group membership has not retrieved successfully. I tried to find how to do that. Maybe sk147417. Just a little bit confused. At this point, any hints will be helpful ? that's why point 7 could be relevant for me.

Regards, Simon
0 Kudos
Highlighted

Worked now .. no need to response.
I have one more tricky thing to do is to configure different IP pool for each AD_Group (ipassignment.conf) .. planned at the beginning of next week.

Simon
0 Kudos