Duo to handle secondary authentication


I have an SSL VPN device with users locally configured on it. I want the primary authentication to be from the users locally created on my SSL VPN device (checkpoint firewall) and the secondary authentication to be Duo. I have deployed Duo Authentication Proxy and the config file looks like:



The traffic flow:

SSL VPN users connect to Gateway (Checkpoint) > Primary authentication using locally created users > Secondary authentication Radius server pointed to Duo.

Is this the correct way of doing? If yes, how will the user/pwd entered by a client as a part of primary authentication be known to Duo and how will it verify against that username in the Duo Security cloud?

In this case, Duo is not working as a radius client or ad client.

That is how it would work for a device that supported chained authenticators with conditional progress (if auth source #1 succeeds, require auth source #2 success).

However, I am not sure that this is possible in Check Point Mobile Access, since you can only select one authentication method per security gateway, and I don’t think you can specify your own RADIUS authenticator as a source for DynamicID.

If you can get that working please come back here and let us know!

Thank you for the response. It looks like the DynamicID is supported for all Mobile Access and IPsec VPN clients. I will try this out and will let you know if I succeed.