Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
tmnetsec
Explorer
Jump to solution

Using one external user profile for two different MFA connections

Currently we have a MFA solution deployed using SecurID and this uses the external generic* authentication profile which has the SecurID option selected. 

I am now doing a PoC for Checkpoint VPN clients using SAML and Azure MFA as per Remote Access VPN R81.20 Administration Guide (checkpoint.com)

The guide says that the SAML Identity Provider needs an external generic* authentication profile as well. Can I change the authentication scheme in the existing generic* profile to Undefined that will allow the users to connect either using SecurID or Identity Provider?  Current options in the drop down in the authentication tab are undefined/SecurID/Identity Provider/RADIUS/etc. Using the multiple authentication options for the VPN client, the plan is to provide the VPN user the option to select SecurID or Azure MFA to connect to the VPN.

Is this possible with a single generic* external authentication profile?

 

 

0 Kudos
1 Solution

Accepted Solutions
tmnetsec
Explorer

Hi @PhoneBoy I tried what you said and managed to get this working on R81.20. Here are the steps if any one else wants to try it:

1) In Smart Dashboard, changed the external generic* profile authentication method from SecurID to Undefined

2) Then I created two authentication schemes for the VPN clients; one for SecurID and the second for Azure Identity Provider

3) The user can manually select the authentication in the Endpoint client and connect successfully to the chosen method

Thanks!

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

I'm fairly certain changing this to Undefined will break SecurID.
I'm not certain if SAML requires the setting in generic* to actually be "Undefined" or just that it merely exist.
If the latter, then it should work for both, but I'm not confident that it will work/be supported.

0 Kudos
tmnetsec
Explorer

Hi @PhoneBoy I tried what you said and managed to get this working on R81.20. Here are the steps if any one else wants to try it:

1) In Smart Dashboard, changed the external generic* profile authentication method from SecurID to Undefined

2) Then I created two authentication schemes for the VPN clients; one for SecurID and the second for Azure Identity Provider

3) The user can manually select the authentication in the Endpoint client and connect successfully to the chosen method

Thanks!

0 Kudos
PhoneBoy
Admin
Admin

Only caveat I see here is that you need to make sure you're not using the "legacy" (defined on user method) option.
Glad it works, however. 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events