Re: MFA and secondary connect / Multi sites

Galb · ‎2021-04-13

Hello

When implementing MFA and Radius authentication such as Dou/OKTA in a multi sites scenario.

is the user getting a separate MFA request for each gateway when accessing a resource that is behind it even when password caching is defined ?

Thanks

Ave_Joe · ‎2021-04-13

Yes. In our testing of MFA using MS Authenticator this was the case. At this time I don't know if there is a resolution to this issue. Deeper investigation into our setup showed that MS NPS (Radius Server) could not take into account any previous session information. So users saw Authenticator prompts everytime the VPN client connected to a Secondary Gateway.

I think mileage may vary depending on the radius server implementation as I know that some radius implementations can account for existing sessions and then by-pass the MFA request.

It would be great if CP could let us know what if anything is on the roadmap for this MFA use case. I would certainly welcome a resolution.

Tzvi_Katz · ‎2021-04-13

The challenge here is around the fact that each secondary GW is not aware of the second factor entered by the primary GW. In a RADIUS example the VPN treat the authentication as black box and passes the challenges to the client till the RADIUS server is done.

So the options are:

1. Make the RADIUS server aware of prior authentications and not prompt second factor

2. Work towards having SAML based authentication in the client in order to leverage the IDP SSO.

Ave_Joe · ‎2021-04-13

Well said. Thanks.

When will number 2 above make it into a product release? This seems the best direction forward.

Galb · ‎2021-04-14

Thanks

I guess SAML can be the solution since RADIUS/RADIUS proxies can support session cookie to bypass the second MFA authentication.
But, which version of CP and client support SAML..?

Tzvi_Katz · ‎2021-04-18

Hi,

For general availability: The next R80.40 Jumbo should have the SAML capabilities (should be released before the end of the month) and the Client side GA should be released in the next few days.

For Customer Release - one is available through Solution Center for several months now.

Galb · ‎2021-04-18

Thanks Tzvi

I will wait till the end of the month to test both

Galb · ‎2021-04-18

Just one more question..
Is there a best practice recommendation to implementing/not implementing "Secondary Connect"?
I think that secondary connect is a more "Slick" solution than routing the traffic via the STS..

But maybe I am wrong here?

Galb · ‎2021-04-21

Is this in take 102?
I have tried to look for the specific support in the release notes ..

Tzvi_Katz · ‎2021-04-22

Hi,

It should be in the next take following 102, it seems it had yet to be released. Stay tuned, since I understand it should be released shortly.

Thanks

Galb · ‎2021-04-22

Thank!

Tzvi_Katz · ‎2021-04-25

Hello,

R80.40 JHF T114 was released with SAML support for RA IPsec VPN

Galb · ‎2021-04-26

Thanks for the update!

Are you a member of CheckMates?

MFA and secondary connect / Multi sites