Active directory and check point firewall

jpATM · February 16, 2021, 9:56pm

I want to create a jump box accessed through a check point firewall that is connected to an internal domain. I also want to leverage this active directory for logins.

However, I cannot reliably get the auth proxy to work unless the DC has a connection to the check point. I have checked the proxy conf for the IP to point to the DC, but unless the check point has access to the DC, I get 2 sequential push notifications on duo and an authentication failure complaining about Office Mode.

What am I missing?

DuoPablo · February 17, 2021, 11:48pm

Hi @jpATM,

Looking at the authproxy.log would be a good place to start in determining a possible cause. You can enable debug logging for more verbose output as described here: Knowledge Base | Duo Security

Guide to interpreting Authentication Proxy logs: Knowledge Base | Duo Security

Is there anything of interest in this log when you attempt an auth that results in failure?

Also, what version of Duo Authentication Proxy are you currently running?

Lastly, what is the exact error message regarding Office Mode?

Thanks!

jpATM · February 18, 2021, 7:24pm

@DuoPablo I am using Duo Security Authentication Proxy 3.2.4
According to the log, the authentication proxy is sending a second request to the radius server after the first one is accepted.

The exact error is as follows:
Connection Failes
You are not authorized to receive an Office Mode IP address. Office Mode might not be configured or it is only permitted for specified users.

If I connect the DC to the firewall then only one request is sent to the radius server and the connection is made.

DuoPablo · February 18, 2021, 11:29pm

@jpATM Thank you for supplying the requested information.

Is Office Mode enabled on the CheckPoint firewall?

If I connect the DC to the firewall then only one request is sent to the radius server and the connection is made

^Is the Duo Auth Proxy being used at all in this scenario? If not, please try the suggestion mentioned here: Knowledge Base | Duo Security

If the Duo Auth Proxy is being used in both scenarios, we can review the [ad_client] and [radius_server_auto] configs as well as the authproxy.log entries. The CheckPoint firewall shouldn’t need direct access to the primary auth source as referenced here: Two-Factor Authentication for Check Point Mobile Access | Duo Security

jpATM · February 24, 2021, 6:14pm

I think I’ve found the source of the problem. Office Mode is configured for a vpn_users group, but the LDAP for this group is Domain Controller. Is it possible to use the Duo Authentication Proxy as the LDAP for the vpn_users group?

jpATM · February 24, 2021, 6:53pm

I found the solution:

The Check Point Device is configured to offer Office Mode to VPN Users. I had to set up the Duo Authentication Proxy to act as an LDAP and point to my DC. I used the following article:

https://duo.com/docs/ldap

Can I set multiple AD_Clients? For instance, if I have 2 DCs and I want to use the secondary DC for authentication if the LDAP cannot contact the primary.

-Joe

DuoPablo · February 24, 2021, 8:46pm

Yes, @jpATM - You may use multiple DCs (hosts) as fallbacks. Please see the the ad_client options listed here: Duo Authentication Proxy Reference | Duo Security

Your authproxy.cfg would look similar to this:
[ad_client]
host=1.2.3.4
host_2=1.2.3.5
host_3=1.2.3.6

By default, the Auth Proxy will wait 10 seconds before trying the next Domain Controller: Knowledge Base | Duo Security

Hope this helps!