Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gonza1
Explorer

VPN - Integrate certificate + SCV + AzureMFA

Hello guys,

I´m pretty new with Checkpoint. I´m working with a customer that needs to accomplish the following:

Steps:

1- VPN authentication through certificate.

2- Client "lands" into a zone where SCV is performed.

3- If SCV is successfull then, authenticates with AzureMFA. 

As I could see from Kbs, SAML/IDP authentication is not compatible with anything else on same login option, so here comes my concern if the above is doable.

Also, I could not find any docs where it states the vpn process steps. Is there something as such? Something like "first happens this", then this and so on...


Thanks in advance for your time and help.

Regards,

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

SCV is performed on the client side once the user has authenticated to the VPN successfully.
If the client fails the SCV check they will still remain connected but will only be allowed to communicate with the configured remediation networks.

Configuring certificate based authentication and SAML together in the Check Point configuration is not supported.
Review the fourth bullet point below from: https://downloads.checkpoint.com/dc/download.htm?ID=114551 

image.png

That said, if AzureAD (or whatever you're using for SAML authentication) supports the desired authentication methods in the desired order, they can be configured there.

0 Kudos
Gonza1
Explorer

Hi, thanks for the prompt answer. Much appreciated.

Given this case, would it be possible to configure certificate base authentication for VPN and then use SAML MFA within an authentication rule?


Thank you.

Regards,

0 Kudos
PhoneBoy
Admin
Admin

Authentication via Remote Access is generally considered sufficient for Identity Awareness purposes.
However, it's not enabled as an Identity Source by default for Identity Awareness.
So...might work? Don't know for sure.

0 Kudos