This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ggiordano
Contributor
‎2022-10-26 02:20 AM

VPN Remote access multiple authentication

Hi mates

in some customers I have multiple authentication for the remote access vpn connection (client & mobile access unified).

normally the authentication is based on external LDAP servers and they need for discriminating internal users (SAML MFA) from external users (username/password + OTP).

The remote users have the decision which authentication method choose and it means the users could another authentication method and authenticate successfully

let me go in an example

users1 needs to connect to VPN (client or Mobile access)

users1 is internal user so he knows the authentication method must be the one defined for internal users (SAML MFA)

users1 is able to authenticate by the authentication method for external users as well.

I'd like to enforce some check where if internal user is trying to use the authentication method for external users, the authentication fails because the internal user is not entitle for that authentication method.

in other words, I'd like to assign the authentication method per LDAP users or LDAP user groups

do anyone know if it's possible?

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2022-10-26 11:43 AM

Have you defined a single LDAP branch or do you have multiple LDAP branches defined on the Check Point side (one for internal users and one for external third parties)?
Because that will be required to set a different authentication scheme for different groups in AD.
This is configured in the gateway object under VPN Clients > Authentication > Multiple Authentication Client Settings.
In each setting, you specify the LDAP Branch the authentication type applies to.

image.png

0 Kudos
ggiordano
Contributor
‎2022-11-07 04:24 AM
In response to PhoneBoy

I cannot define different authentication method based on your advise.

the problem is you can specify the LDAP Account unit and not the user group.

in addition the ldap account unit must unique for the same domain, otherwise you will have warning about multiple account unit refers to the same domain.

 

0 Kudos
the_rock
Legend
Legend
‎2022-10-26 01:42 PM

I read what phoneboy responded and it makes total sense to me. Im not sure if there is a different way to achieve what you are looking for.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events