Create a Post
Showing results for 
Search instead for 
Did you mean: 

multiple authentication option

Hello mate

maybe this topic was discussed in other posts.

after 1 year of my testing and SR to the TAC, I don't find a solution, in enviroment where I have multiple authentication option in VPN, to force the users to use a specific authentication option and not others.

in case one authentication option is "username & password" based on ldap users, EVERY user who is defined into LDAP server, is able to authenticate into VPN.

it means even the user mustn't access to VPN, he is able to authenticate but he is not authorized to get access to any resources because the firewall policy blocks the request. In any case the user is able to authenticate.

it is possible because the authentication option searches the user along all LDAP branches.

I'd like to implement a filter based on LDAP group where only users member of a specific ldap group are able to authenticate. in case the user is not a member of that LDAP group, the authentication must fail.

In the authentication properties I can choose only the LDAP ACCOUNT UNIT and I cannot enable the authentication, for a specific login option, to a specific LDAP group.

how could I implement this filter on authentication?

0 Kudos
3 Replies

Im glad you asked this, because this was an official TAC response to me few months ago on it:

After consulting with escalations, assigning specific users to desired authentication method in Check Point Multiple Login Options is not a supported feature yet, and there is already an existing RFE submitted for that. However, you can configure only RADIUS authentication, and have the RADIUS server determine who gets MFA or who does not, meaning configure the MFA on the RADIUS server/Using DUO or some other MFA services on the account itself instead of having the gateway to do the MFA. 

Now, we all know how long RFE can take, so I would not have high hopes for it.

Having said that, what you could do is this...says only SOME users need to use Radius auth, you can define them as LOCAL users in dashboard and make sure that radius auth option is selected, as per below:


0 Kudos

thank you for your response.

as per my expectation, I supposed it's not a supported features.

During my session with TAC, they asked to me to implement and test configuration without a reasonable confirmation it should work. Currently I worked on some environments configuring RADIUS and it works when the login option are different between them. I mean, for example, SAML the 1st login and RADIUS the 2nd login. it doesn't work when you have to make discrimination between login option based on RADIUS where the 1st login mustn't ask for the DynamicID and the 2nd login must ask for the DynamicID because customer doesn't have an external MFA system. In this scenario GW radius request doesn't cointain information for making different network policy in according the login option the user choose.

so at this time, I need to move with a different external authentication o wait for the introduction of the feature in CKP.


thank you again for your clarification

0 Kudos

When we worked with them, customer and I literally did 99.99% of work, they were not even willing to replicate the issue, their answer was "Well, you guys replicated it, so why should we?" LOL

Anyway, Im happy to do remote if you like and we can go through it together. Im fairly familiar with it, as I had done it myself few times.

Cheers mate.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events