This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oryx
Collaborator
‎2022-02-11 06:21 AM
Jump to solution

MFA for some VPN users

Hi,

We've enabled MFA with SMS provider in the Remote Access VPN of one of our end customers. Everything is working fine, but our customer wants to know if it is possible to disable the MFA for a particular User or a particular Group of Users.

Our users are internal on the Check Point Gateways, so we don't have an Active Directory server to validate the users credentials. We have the MFA configured with Username and Password + SMS Provider for all the internal users. We would like to have a particular user (Failsafe user, if the SMS Provider fails) without MFA. Is it possible?

Thanks in advance for your help.

Regards

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Diamond
MVP Diamond
‎2022-02-12 04:32 AM
In response to Oryx
Jump to solution

Correct, Im pretty sure you cannot do that, unless you use one generic auth method, in which case users wont have a choice. There might be some way of doing this by modifying trac.defaults file, but I would confirm with TAC, to be certain.

Andy

Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

0 Kudos
8 Replies
the_rock
MVP Diamond
MVP Diamond
‎2022-02-11 08:26 AM
Jump to solution

If you are not using AD to validate users and they are all local, sounds like the only way to do this would be to modify the individual user by modifying auth method once you edit the user in dashboard.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Oryx
Collaborator
‎2022-02-11 08:43 AM
In response to the_rock
Jump to solution

Hi the_rock,

But how can I differentiate the users that will require MFA on the VPN from users that will not need that with the auth method?

I'm not following when you say that I can achieve this with auth method.

Regards

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2022-02-11 08:57 AM
In response to Oryx
Jump to solution

No problem, Im simply referring to below when you edit the user in smart console. 

 
 

Screenshot_1.png

 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Oryx
Collaborator
‎2022-02-11 09:18 AM
In response to the_rock
Jump to solution

Hi @the_rock 

I know the place of the configuration on the Smart Console.

But I think that will still not help me to achieve what the end customer wants. So, let says that we have User_A and User_B, both of them local within the Gateways and with priviledges to login on the Remote Access VPN. Then, I want that the User_A only can connect on the VPN with his credentials (Username and Password) on the Authentication Profile with MFA, but not on the Authentication Profile without MFA. Also, I want that the User_B can connect in both of the Authentication Profiles with or without MFA.

I hope I explained better what we need. And sorry If I was not clear on the first place.

Regards 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2022-02-11 09:48 AM
In response to Oryx
Jump to solution

Message me privately, lets do remote session.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2022-02-11 10:01 AM
In response to Oryx
Jump to solution

If you are referring to below setting, that has to be changed manually, UNLESS you use just one generic auth method on gateway

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Oryx
Collaborator
‎2022-02-12 01:43 AM
In response to the_rock
Jump to solution

Hi @the_rock 

 

That is exactly what I'm talking about. So, at the end of the day, the end users will always have the possibility to change that option, because we've two possible options for the authentication (Username/Password only, Username/Password + SMS).

As far as I known, I cannot disable that option in the VPN client of the end users. Also, I cannot avoid centrally that a end user successfully login in both authentication schemes.

Regards   

the_rock
MVP Diamond
MVP Diamond
‎2022-02-12 04:32 AM
In response to Oryx
Jump to solution

Correct, Im pretty sure you cannot do that, unless you use one generic auth method, in which case users wont have a choice. There might be some way of doing this by modifying trac.defaults file, but I would confirm with TAC, to be certain.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events