Just assisted in a DUO-MFA for vpn clients in a checkpoint DUO MFA setup
https://help.okta.com/en/prod/Content/Topics/integrations/check-point-radius-intg-test.htm
I wanted to point out a few items that are easily missed
When setting up the DUO-PRoxy the service port must be relay to the firewall admin. It's typically 1812 or 1645.
Make sure to set the proper SERVICE in your radius object
When diagnosing connectivity from the checkpoint security gateway, the interfaces that faces the DUO-PROXY should have a pcap create to witness the traffic, You can always decode the radsniff datagram and see the user details to include password.
Tips
- if no response ; check service_port ( 1645 or 1812 ) and radius server ip.address
- if the body of the request has a "chap" challenge you need to convert the radius-client to "PAP"
- the response for valid logins would be a "Access-Accept" reply
You can read more here ;
http://socpuppet.blogspot.com/2017/04/securing-fortigate-sslvpn-with-mfa-by.html
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
