Saturday, April 30, 2022

DUO on checkpoint for remote access tips from vault

Just assisted in a DUO-MFA for vpn clients in a checkpoint DUO MFA setup 

  https://help.okta.com/en/prod/Content/Topics/integrations/check-point-radius-intg-test.htm


I wanted to point out a few items that are easily missed


When setting up the DUO-PRoxy the service port must be relay to the firewall admin. It's typically 1812 or 1645.


Make sure to set the proper SERVICE in your radius object 


When diagnosing connectivity from the checkpoint security gateway, the interfaces that faces the  DUO-PROXY should have a pcap create to witness the traffic, You can always decode the radsniff datagram and see the user details to include password.




Tips
  •   if no response ; check service_port ( 1645 or 1812 )  and radius server ip.address
  •   if the body of the request has a "chap" challenge you need to convert the radius-client to "PAP"
  •   the response for valid logins would be a "Access-Accept" reply 

You can read more here ;

http://socpuppet.blogspot.com/2017/04/securing-fortigate-sslvpn-with-mfa-by.html








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

         o
      /      \ 







No comments:

Post a Comment