This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
tmnetsec
Explorer
‎2023-06-23 09:09 AM
Jump to solution

Using one external user profile for two different MFA connections

Currently we have a MFA solution deployed using SecurID and this uses the external generic* authentication profile which has the SecurID option selected. 

I am now doing a PoC for Checkpoint VPN clients using SAML and Azure MFA as per Remote Access VPN R81.20 Administration Guide (checkpoint.com)

The guide says that the SAML Identity Provider needs an external generic* authentication profile as well. Can I change the authentication scheme in the existing generic* profile to Undefined that will allow the users to connect either using SecurID or Identity Provider?  Current options in the drop down in the authentication tab are undefined/SecurID/Identity Provider/RADIUS/etc. Using the multiple authentication options for the VPN client, the plan is to provide the VPN user the option to select SecurID or Azure MFA to connect to the VPN.

Is this possible with a single generic* external authentication profile?

 

 

0 Kudos
1 Solution

Accepted Solutions
tmnetsec
Explorer
‎2023-06-29 02:06 AM
In response to PhoneBoy
Jump to solution

Hi @PhoneBoy I tried what you said and managed to get this working on R81.20. Here are the steps if any one else wants to try it:

1) In Smart Dashboard, changed the external generic* profile authentication method from SecurID to Undefined

2) Then I created two authentication schemes for the VPN clients; one for SecurID and the second for Azure Identity Provider

3) The user can manually select the authentication in the Endpoint client and connect successfully to the chosen method

Thanks!

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-06-26 10:14 AM
Jump to solution

I'm fairly certain changing this to Undefined will break SecurID.
I'm not certain if SAML requires the setting in generic* to actually be "Undefined" or just that it merely exist.
If the latter, then it should work for both, but I'm not confident that it will work/be supported.

0 Kudos
tmnetsec
Explorer
‎2023-06-29 02:06 AM
In response to PhoneBoy
Jump to solution

Hi @PhoneBoy I tried what you said and managed to get this working on R81.20. Here are the steps if any one else wants to try it:

1) In Smart Dashboard, changed the external generic* profile authentication method from SecurID to Undefined

2) Then I created two authentication schemes for the VPN clients; one for SecurID and the second for Azure Identity Provider

3) The user can manually select the authentication in the Endpoint client and connect successfully to the chosen method

Thanks!

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-29 06:39 AM
In response to tmnetsec
Jump to solution

Only caveat I see here is that you need to make sure you're not using the "legacy" (defined on user method) option.
Glad it works, however. 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events