Setting up Check Point Remote Access VPN two-factor authentication

General information

This article describes how to configure Check Point to connect to Remote Access VPN with two-factor authentication.

Possible authentication methods:

• MultiFactor Mobile Application
• SMS
• Hardware OTP tokens
• OTP applications: Google Authenticator or Yandex.Key
• Telegram

To configure the second factor of authentication, you will need to install and configure the MultiFactor Radius Adapter.

might be useful

The second factor can be configured in dialogue mode with the user.

Video presentation

Scheme of work

1. The user connects to the VPN, enters the login and password in the Remote Access client;
2. Check Point NGFW connects to the MultiFactor Radius Adapter component via the RADIUS protocol;
3. The Check Point NGFW component checks the user’s login and password in Active Directory or Network Policy Server and requests a second factor of authentication;
4. The user confirms the access request on the phone or enters a one-time code in the Remote Access VPN client (Endpoint Security/MAB).

Configuring Check Point NGFW

Launch the SmartConsole management console.

Setting up a RADIUS server

You need to create a new Radius server object.

1. On the right side, in the objects section, select New > Server > More > RADIUS and make the following settings:
   • Name: Multifactor Radius Server;
   • Host: address of the MultiFactor Radius Adapter component (create a new object or select an existing one);
   • Service: NEW-RADIUS (port 1812);
   • Shared Secret: from the component settings;
   • Verison: RADIUS Ver. 2.0;
   • Authentication method: PAP.

Setting up Remote Access VPN in Check Point

1. Open the Check Point Security Gateway object settings, Mobile Access -> Authentication section. Open Settings:
   • Allow newer clients that supports Multiple Login Options to use this authentication method: yes;
   • Authentication method: RADIUS;
   • Server: Multifactor Radius Server.

2. Repeat the setup for VPN Clients -> Authentication. As a result, the configuration in both sections should look like this:

Setting up a user group

On the right side, in the objects section, select New > More > User > Access Role. Set parameters for the new object and specify the source of user data.

Setting up access policy

Under Security policies > Policy > create a new policy for Remote Access VPN user access to the internal network:

* Source: <Created early Access Role>
* VPN: RemoteAccess

Configuring the RADIUS server timeout

1. Click on the icon in the upper left corner, select Global Properties -> Advanced -> Configure -> FireWall-1 -> Authentication -> RADIUS
2. Increase radius_retrant_timeout to 60 seconds.

See also:

• Documentation for setting up remote access in Check Point;
• Self-service registration portal 2fa.