Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Galb
Explorer

MFA and secondary connect / Multi sites

Hello

When implementing MFA and Radius authentication such as Dou/OKTA in a multi sites scenario.

is the user getting a separate MFA request for each gateway when accessing a resource that is behind it even when password caching is defined ?

 

Thanks 

0 Kudos
12 Replies
Ave_Joe
Contributor

Yes.   In our testing of MFA using MS Authenticator this was the case.  At this time I don't know if there is a resolution to this issue.  Deeper investigation into our setup showed that MS NPS (Radius Server) could not take into account any previous session information. So users saw Authenticator prompts everytime the VPN client connected to a Secondary Gateway.

I think mileage may vary depending on the radius server implementation as I know that some radius implementations can account for existing sessions and then by-pass the MFA request.

It would be great if CP could let us know what if anything is on the roadmap for this MFA use case.  I would certainly welcome a resolution.

Tzvi_Katz
Employee
Employee

The challenge here is around the fact that each secondary GW is not aware of the second factor entered by the primary GW. In a RADIUS example the VPN treat the authentication as  black box and passes the challenges to the client till the RADIUS server is done. 

So the options are: 

1. Make the RADIUS server aware of prior authentications and not prompt second factor 

2. Work towards having SAML based authentication in the client in order to leverage the IDP SSO. 

0 Kudos
Ave_Joe
Contributor

Well said.  Thanks.

When will number 2 above make it into a product release?  This seems the best direction forward.

0 Kudos
Galb
Explorer

Thanks 

I guess SAML can be the solution since RADIUS/RADIUS proxies can support session cookie to bypass the second MFA authentication.
But, which version of CP  and client support SAML..?

0 Kudos
Tzvi_Katz
Employee
Employee

Hi,

For general availability: The next R80.40 Jumbo should have the SAML capabilities (should be released before the end of the month) and the Client side GA should be released in the next few days. 

For Customer Release - one is available through Solution Center for several months now.  

0 Kudos
Galb
Explorer

Thanks Tzvi

I will wait till the end of the month to test both

0 Kudos
Galb
Explorer

Just one more question..
Is there a best practice  recommendation to implementing/not implementing "Secondary Connect"?
I think that secondary connect is a more "Slick" solution than routing the traffic via the STS..

But maybe I am wrong here?

0 Kudos
Galb
Explorer

Is this in take 102?
I have tried to look for the specific support in the release notes ..

0 Kudos
Tzvi_Katz
Employee
Employee

Hi, 

It should be in the next take following 102, it seems it had yet to be released. Stay tuned, since I understand it should be released shortly. 

 

Thanks

0 Kudos
Galb
Explorer

Thank!

0 Kudos
Tzvi_Katz
Employee
Employee

Hello, 

R80.40 JHF T114 was released with SAML support for RA IPsec VPN 

SAML_RA_RN.jpg

 

0 Kudos
Galb
Explorer

Thanks for the update!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events