Configure Two-Factor Authentication for Check Point Remote Access VPN

Overview

This article shows how to set up two-factor authentication for Check Point Remote Access VPN client connections.

Available authentication methods:

Prerequisites: Install and configure MultiFactor Radius Adapter to allow two-factor authentication.

The user connects to the VPN, enters the login and password in the Remote Access client (VPN client list with 2fa support);
Check Point NGFW connects to MultiFactor Radius Adapter component via RADIUS protocol;
The component or Check Point NGFW checks the user's login and password in Active Directory or Network Policy Server and requests the second authentication factor;
The user confirms his access request with a selected Multifactor authentication method or with a one-time passcode in the Remote Access VPN client (Endpoint Security/MAB).

Open the Check Point SmartConsole.

Create a new Radius server object.

Select New > Server > More > RADIUS in the objects section:

Name: Multifactor Radius Server;
Host: Address of MultiFactor Radius Adapter component (create a new object or select an existing one);
Service: NEW-RADIUS (port 1812);
Shared Secret: provide value from Multifactor Radius Adapter component settings;
Verison: RADIUS Ver. 2.0;
Authentication method: PAP.

Open the Check Point Security Gateway object settings in the VPN Clients/Mobile Access -> Authentication section:

Use Username and Password as a first factor and RADIUS (Multifactor) as the second factor;
Use RADIUS (Multifactor) as the first and second factors.

Under objects section select New > More > User > Access Role. Set the parameters for the new object and specify the source of user data.

Under Security Policies > Policy > create a new policy for Remote Access VPN users to access the internal network: