This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gonza1
Explorer
‎2022-08-30 07:09 AM

VPN - Integrate certificate + SCV + AzureMFA

Hello guys,

I´m pretty new with Checkpoint. I´m working with a customer that needs to accomplish the following:

Steps:

1- VPN authentication through certificate.

2- Client "lands" into a zone where SCV is performed.

3- If SCV is successfull then, authenticates with AzureMFA. 

As I could see from Kbs, SAML/IDP authentication is not compatible with anything else on same login option, so here comes my concern if the above is doable.

Also, I could not find any docs where it states the vpn process steps. Is there something as such? Something like "first happens this", then this and so on...


Thanks in advance for your time and help.

Regards,

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2022-08-30 04:02 PM

SCV is performed on the client side once the user has authenticated to the VPN successfully.
If the client fails the SCV check they will still remain connected but will only be allowed to communicate with the configured remediation networks.

Configuring certificate based authentication and SAML together in the Check Point configuration is not supported.
Review the fourth bullet point below from: https://downloads.checkpoint.com/dc/download.htm?ID=114551 

image.png

That said, if AzureAD (or whatever you're using for SAML authentication) supports the desired authentication methods in the desired order, they can be configured there.

0 Kudos
Gonza1
Explorer
‎2022-08-31 02:22 AM
In response to PhoneBoy

Hi, thanks for the prompt answer. Much appreciated.

Given this case, would it be possible to configure certificate base authentication for VPN and then use SAML MFA within an authentication rule?


Thank you.

Regards,

0 Kudos
PhoneBoy
Admin
Admin
‎2022-09-01 04:57 PM
In response to Gonza1

Authentication via Remote Access is generally considered sufficient for Identity Awareness purposes.
However, it's not enabled as an Identity Source by default for Identity Awareness.
So...might work? Don't know for sure.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events