- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Re: VPN Remote access multiple authentication
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Remote access multiple authentication
Hi mates
in some customers I have multiple authentication for the remote access vpn connection (client & mobile access unified).
normally the authentication is based on external LDAP servers and they need for discriminating internal users (SAML MFA) from external users (username/password + OTP).
The remote users have the decision which authentication method choose and it means the users could another authentication method and authenticate successfully
let me go in an example
users1 needs to connect to VPN (client or Mobile access)
users1 is internal user so he knows the authentication method must be the one defined for internal users (SAML MFA)
users1 is able to authenticate by the authentication method for external users as well.
I'd like to enforce some check where if internal user is trying to use the authentication method for external users, the authentication fails because the internal user is not entitle for that authentication method.
in other words, I'd like to assign the authentication method per LDAP users or LDAP user groups
do anyone know if it's possible?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you defined a single LDAP branch or do you have multiple LDAP branches defined on the Check Point side (one for internal users and one for external third parties)?
Because that will be required to set a different authentication scheme for different groups in AD.
This is configured in the gateway object under VPN Clients > Authentication > Multiple Authentication Client Settings.
In each setting, you specify the LDAP Branch the authentication type applies to.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cannot define different authentication method based on your advise.
the problem is you can specify the LDAP Account unit and not the user group.
in addition the ldap account unit must unique for the same domain, otherwise you will have warning about multiple account unit refers to the same domain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I read what phoneboy responded and it makes total sense to me. Im not sure if there is a different way to achieve what you are looking for.