Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SaxMan
Participant

2FA with SMB 1500 (R80.20.30)

Hi,
Are there any "workarounds"/solution(s) for the following scenario?
Appliance: SMB 1550 with R80.20.30.
On-premise 2FA Appliance (based on FreeRadius)
Issue:
We've successfully integrated 2FA/Radius appliance with AD and it "pulls" through the relevant VPN users group via FilterID.
When we have Radius/2FA server defined as the ONLY Authentication Server, the VPN users successfully authenticate with OTP.
Once we add the AD server, 2FA does not work. (even if we create a dummy AD group for the 1550 to read)
We do, however, need the AD server for building specific rules in the Access Policy.

Any suggestions/advice would be greatly appreciated.

Thanks.


0 Kudos
6 Replies
G_W_Albrecht
Legend
Legend

sk137732 ?

CCSE CCTE SMB Specialist
0 Kudos
SaxMan
Participant

Thanks a million.
Yip.
Read through that doc/SK - I just thought there might be a chance of someone on the community successfully implementing it (with AD, of course)
The 2FA solution works with other SMB brands(with AD + Radius) so we're trying to compete with our CheckPoint POV/POCs.
Thank you for the prompt feedback.

0 Kudos
PhoneBoy
Admin
Admin

But sk137732 is for locally managed SMB and you’re talking about using Access Roles in rules.
Is this a centrally managed SMB?

0 Kudos
SaxMan
Participant

Hi,
Thanks for the response.

Locally managed 1500.
My original post should've read:
On the 1500 we want to use AD to define rules under Access Policy -> Policy 
(example: Outgoing - Source: (AD Group)marketing -> Dest:internet -> Service:Facebook Business -> Action: accept -> Log)

The Radius server will sync with AD and filter out the VPN users and do the 2FA
So ideally, have both AD and Radius configured under Authentication Servers
(right now we have to remove AD from the Auth Servers list, and then 2FA works 100%)

I hope this makes sense?

Thanks.

0 Kudos
PhoneBoy
Admin
Admin

Yes, it makes sense, therefore it seems sk137732 would apply.

SaxMan
Participant

Great stuff.
Thanks.

So, here's the Million Dollar question: 😀
Any chance that there might be a solution/enhancement on a roadmap soon?


0 Kudos