04-17-2020 09:58 AM
Hi,
I have an SSL VPN device with users locally configured on it. I want the primary authentication to be from the users locally created on my SSL VPN device (checkpoint firewall) and the secondary authentication to be Duo. I have deployed Duo Authentication Proxy and the config file looks like:
[duo_only_client]
[radius_server_auto]
ikey=
skey=
api_host=
radius_ip_1=x.x.x.x
radius_secret_1=password
client=duo_only_client
port=1812
The traffic flow:
SSL VPN users connect to Gateway (Checkpoint) > Primary authentication using locally created users > Secondary authentication Radius server pointed to Duo.
Is this the correct way of doing? If yes, how will the user/pwd entered by a client as a part of primary authentication be known to Duo and how will it verify against that username in the Duo Security cloud?
In this case, Duo is not working as a radius client or ad client.
04-20-2020 06:29 AM
That is how it would work for a device that supported chained authenticators with conditional progress (if auth source #1 succeeds, require auth source #2 success).
However, I am not sure that this is possible in Check Point Mobile Access, since you can only select one authentication method per security gateway, and I don’t think you can specify your own RADIUS authenticator as a source for DynamicID.
If you can get that working please come back here and let us know!
04-20-2020 07:04 AM
Thank you for the response. It looks like the DynamicID is supported for all Mobile Access and IPsec VPN clients. I will try this out and will let you know if I succeed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide