Configure Two-Factor Authentication for Check Point Remote Access VPN
Overview
This article shows how to set up two-factor authentication for Check Point Remote Access VPN client connections.
Available authentication methods:
SMS
Hardware OTP tokens
OTP applications: Google Authenticator or Yandex. Key
Telegram
Mobile application (soon)
Prerequisites: Install and configure MultiFactor Radius Adapter to allow two-factor authentication.
Operation Principle
- The user connects to the VPN, enters the login and password in the Remote Access client (VPN client list with 2fa support);
- Check Point NGFW connects to MultiFactor Radius Adapter component via RADIUS protocol;
- The component or Check Point NGFW checks the user's login and password in Active Directory or Network Policy Server and requests the second authentication factor;
- The user confirms his access request with a selected Multifactor authentication method or with a one-time passcode in the Remote Access VPN client (Endpoint Security/MAB).
Configure Check Point NGFW
Open the Check Point SmartConsole.
Configure RADIUS server
Create a new Radius server object.
Select New > Server > More > RADIUS in the objects section:
- Name: Multifactor Radius Server;
- Host: Address of MultiFactor Radius Adapter component (create a new object or select an existing one);
- Service: NEW-RADIUS (port 1812);
- Shared Secret: provide value from Multifactor Radius Adapter component settings;
- Verison: RADIUS Ver. 2.0;
- Authentication method: PAP.
Setting up Remote Access VPN in Check Point
Open the Check Point Security Gateway object settings in the VPN Clients/Mobile Access -> Authentication section:
- Configure Multiple login options:
- Use Username and Password as a first factor and RADIUS (Multifactor) as the second factor;
- Use RADIUS (Multifactor) as the first and second factors.
- Select a RADIUS server and specify the previously created object:
Configure new Access Role
Under objects section select New > More > User > Access Role. Set the parameters for the new object and specify the source of user data.
Configure Access Policy
Under Security Policies > Policy > create a new policy for Remote Access VPN users to access the internal network:
- Source:
- VPN: RemoteAccess
If you are using Radius groups only, see these instructions: https://community.checkpoint.com/t5/Remote-Access-VPN/Using-RADIUS-Groups-RAD-lt-Group-gt-to-Assign-Permissions/m-p/16705#M555.
See also: