This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
seanmc12
Contributor
‎2023-11-12 01:29 PM

Checkpoint R81.10 VPN MFA with OKTA radius

I am trying to setup MFA on my Checkpoint VPN via OKTA radius agent. I'm utilizing the steps provided by Checkpoint which point to OKTA. We went through every step with the exception of the last couple that involve Mobile section at the tail end as we are not utilizing that. We are running R81.10 and some of the items are in different places from the documentation we were provided by Checkpoint. Everything is configured and then on the Client itself, we changed from Username/Password auth to STANDARD. After doing that, we are able to hit the connect button on the client, it prompts you to enter in your username, but the password field is greyed out. You press continue and then it pops up a box that says Response, but I'm not receiving any pushes from OKTA verify, Cell texts or anything for which to enter in a response in the Checkpoint client. Spent 3 hours on the phone with OKTA and Checkpoint support together this morning and ended up just submitting VPN Debug logs and no Checkpoint VPN w/MFA. Anyone else get this to working? Mind sharing your process?

Any help is greatly appreciated.

https://help.okta.com/en-us/content/topics/integrations/check-point-radius-intg.htm

Labels
0 Kudos
7 Replies
the_rock
Legend
Legend
‎2023-11-12 07:27 PM

Personally, I think running vpn debugs here is not useful, just my opinion, as you are not having issue with site to site vpn tunnel traffic. 

Having read all you indicated, I am fairly confident its something missing in the config. Are you able to share some screenshots of how you configured this? My colleague and I got this working in the lab before and we actually followed document I attached, along with the script on the mgmt server,

Regards,

Andy

Preview file
624 KB
Preview file
9 KB
0 Kudos
seanmc12
Contributor
‎2023-11-13 05:30 AM
In response to the_rock

Attached a screen shots of our config and the Checkpoint provided link to the process. https://help.okta.com/oie/en-us/content/topics/integrations/check-point-radius-intg-conf-gateway.htm On the Client side, we changed the Authentication from Username/PW to Standard. There are some steps regarding enabling Mobile Access at the bottom of the instructions. "Configure browser access to the Check Point Mobile Access SSL VPN portal"

Does that need to be done?

 

Preview file
167 KB
0 Kudos
the_rock
Legend
Legend
‎2023-11-13 05:46 AM
In response to seanmc12

This is what Im interested in. Are you able to send that please? And blur out any sensitive info.

Andy

 

Screenshot_1.png

0 Kudos
seanmc12
Contributor
‎2023-11-13 06:02 AM
In response to the_rock

 

Here you go

 

 

Preview file
130 KB
0 Kudos
the_rock
Legend
Legend
‎2023-11-13 06:19 AM
In response to seanmc12

I think the way it was done is the issue, in my opinion. Whenever I did this with the customers, I would add auth methods as SEPARATE entities (if you will), meaning say if radius is preferred auth method, then you set it as first in the list, or even set it as global auth method and then have it as only method in the list. Do you require anyone to log in as user/pass? If you do, then simply enable it on the user settings locally in the dashboard and have user/pass method as separate auth method in the list (radius first, user/pass second).

Makes sense?

Andy

0 Kudos
Alex-
Advisor
Advisor
‎2023-11-13 09:38 AM
In response to the_rock

I agree. I deployed Okta w/ RADIUS with a dedicated authentication realm and it worked.

It's been a while but ensure you use samaccountname + domain name as login factor and check that Okta performs primary authentication and your users and groups are provisioned within the Okta directory.

the_rock
Legend
Legend
‎2023-11-13 09:40 AM
In response to Alex-

Exactly. I had done it that way 3 times and worked fine.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events