Skip to main content

Checkpoint Gaia is a unified security platform for managing all Checkpoint appliances. This tutorial shows how to add a RADIUS server for two-factor authentication for Mobile Access. We are using Open Server R77 and the Smart Dashboard.

This tutorial shows how to add two-factor authentication to the Checkpoint Security Gateway's SSL-VPN solution Mobile Access. The first part shows how to add a RADIUS host to the Checkpoint using the SmartConsole. Note that if you want to integrate your directory in this process simply use the IP address of your RADIUS server - NPS or Freeradius for example - instead of your WiKID server. Don't have a WiKID server for two-factor authentication? Get one! First five users are free.

 

Configure the Checkpoint Security Gateway

To configure your Checkpoint, log in to the SmartDashboard. Click on the main management button and select Manage > Network Objects > New > Node > Host.

Enter the name and IP address of your WiKID Strong Authentication server on the General Properties page. Click OK to save the new host, and then click the Close button in the Network Objects window.

two-factor auth for checkpoint ipsec vpn

Head back to the main management button and select Manage > Servers and OPSEC Applications > New > RADIUS.

On the General tab, give the server a name such as WiKID. Select the host you created earlier. Be sure to select New-RADIUS as the protocol. This option uses the "new" port of 1812. It was updated in 2000.

15 - checkpoint two-factor

Click OK and Close.

Now, we need to create an External User profile. On the main menu, select Manage > Users and Administrators > New > External User Profile > Match all users.

two-factor policy

On General Properties tab, add a descriptive comment.

2FA - Checkpoint

Click on the Authentication page and choose Radius as the Authentication Scheme and Select the WiKID or NPS/Freeradius host you created earlier.

Set radius on the checkpoint for two-factor authentication from WiKID

Next, click on the Mobile Access tab and the Policy page. Right click on the Policy and select Edit. Move the generic* from Available Members to Selected Members.

WiKID - checkpoint

Configure the Mobile Access VPN

Now to configure the Checkpoint SSL-VPN, bring up the Authentication page under Mobile Access. Select the RADIUS and the WiKID server setup previously.

SSL VPN two-factor auth

Click OK. And then the Install Policy button.

set checkpoint gateway for two-factor auth

Configuring the WiKID Server

Next we can quickly add the Checkpoint to the WiKID server. On the WiKIDAdmin UI, click on the Network Client tab then Create a New Network Client. Give it a name and enter the IP address of the Checkpoint Gaia Security Gateway (or the NPS or Freeradius server if you are using them).

WiKID - checkpoint NC

On the next page, enter the Shared Secret you entered on the Checkpoint Secure Gateway for the RADIUS host. And click Add NC.

add checkpoint to WIKID

Now on the WiKID server terminal, restart WiKID using 'wikidctl restart'. That will cache the RADIUS information and on our Virtual Appliance, open the firewall port.

That's it. Now you can test the login with an OTP from a WiKID Software token.

Keywords:



 

Copyright © WiKID Systems, Inc. 2017 | Two-factor Authentication