This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Galb
Explorer
‎2021-04-13 12:12 AM

MFA and secondary connect / Multi sites

Hello

When implementing MFA and Radius authentication such as Dou/OKTA in a multi sites scenario.

is the user getting a separate MFA request for each gateway when accessing a resource that is behind it even when password caching is defined ?

 

Thanks 

0 Kudos
12 Replies
Ave_Joe
Collaborator
‎2021-04-13 06:54 AM

Yes.   In our testing of MFA using MS Authenticator this was the case.  At this time I don't know if there is a resolution to this issue.  Deeper investigation into our setup showed that MS NPS (Radius Server) could not take into account any previous session information. So users saw Authenticator prompts everytime the VPN client connected to a Secondary Gateway.

I think mileage may vary depending on the radius server implementation as I know that some radius implementations can account for existing sessions and then by-pass the MFA request.

It would be great if CP could let us know what if anything is on the roadmap for this MFA use case.  I would certainly welcome a resolution.

Tzvi_Katz
Employee
Employee
‎2021-04-13 07:45 AM

The challenge here is around the fact that each secondary GW is not aware of the second factor entered by the primary GW. In a RADIUS example the VPN treat the authentication as  black box and passes the challenges to the client till the RADIUS server is done. 

So the options are: 

1. Make the RADIUS server aware of prior authentications and not prompt second factor 

2. Work towards having SAML based authentication in the client in order to leverage the IDP SSO. 

0 Kudos
Ave_Joe
Collaborator
‎2021-04-13 08:03 AM
In response to Tzvi_Katz

Well said.  Thanks.

When will number 2 above make it into a product release?  This seems the best direction forward.

0 Kudos
Galb
Explorer
‎2021-04-14 05:53 AM
In response to Tzvi_Katz

Thanks 

I guess SAML can be the solution since RADIUS/RADIUS proxies can support session cookie to bypass the second MFA authentication.
But, which version of CP  and client support SAML..?

0 Kudos
Tzvi_Katz
Employee
Employee
‎2021-04-18 02:46 AM
In response to Galb

Hi,

For general availability: The next R80.40 Jumbo should have the SAML capabilities (should be released before the end of the month) and the Client side GA should be released in the next few days. 

For Customer Release - one is available through Solution Center for several months now.  

0 Kudos
Galb
Explorer
‎2021-04-18 07:51 AM
In response to Tzvi_Katz

Thanks Tzvi

I will wait till the end of the month to test both

0 Kudos
Galb
Explorer
‎2021-04-18 08:25 AM
In response to Tzvi_Katz

Just one more question..
Is there a best practice  recommendation to implementing/not implementing "Secondary Connect"?
I think that secondary connect is a more "Slick" solution than routing the traffic via the STS..

But maybe I am wrong here?

0 Kudos
Galb
Explorer
‎2021-04-21 11:48 PM
In response to Tzvi_Katz

Is this in take 102?
I have tried to look for the specific support in the release notes ..

0 Kudos
Tzvi_Katz
Employee
Employee
‎2021-04-22 02:53 AM
In response to Galb

Hi, 

It should be in the next take following 102, it seems it had yet to be released. Stay tuned, since I understand it should be released shortly. 

 

Thanks

0 Kudos
Galb
Explorer
‎2021-04-22 09:02 AM
In response to Tzvi_Katz

Thank!

0 Kudos
Tzvi_Katz
Employee
Employee
‎2021-04-25 11:52 PM
In response to Galb

Hello, 

R80.40 JHF T114 was released with SAML support for RA IPsec VPN 

SAML_RA_RN.jpg

 

0 Kudos
Galb
Explorer
‎2021-04-26 04:06 AM
In response to Tzvi_Katz

Thanks for the update!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events