This tutorial shows how to add two-factor authentication to the Checkpoint Security Gateway's SSL-VPN solution Mobile Access. The first part shows how to add a RADIUS host to the Checkpoint using the SmartConsole. Note that if you want to integrate your directory in this process simply use the IP address of your RADIUS server - NPS or Freeradius for example - instead of your WiKID server. Don't have a WiKID server for two-factor authentication? Get one! First five users are free.
Configure the Checkpoint Security Gateway
To configure your Checkpoint, log in to the SmartDashboard. Click on the main management button and select Manage > Network Objects > New > Node > Host.
Enter the name and IP address of your WiKID Strong Authentication server on the General Properties page. Click OK to save the new host, and then click the Close button in the Network Objects window.
Head back to the main management button and select Manage > Servers and OPSEC Applications > New > RADIUS.
On the General tab, give the server a name such as WiKID. Select the host you created earlier. Be sure to select New-RADIUS as the protocol. This option uses the "new" port of 1812. It was updated in 2000.
Click OK and Close.
Now, we need to create an External User profile. On the main menu, select Manage > Users and Administrators > New > External User Profile > Match all users.
On General Properties tab, add a descriptive comment.
Click on the Authentication page and choose Radius as the Authentication Scheme and Select the WiKID or NPS/Freeradius host you created earlier.
Next, click on the Mobile Access tab and the Policy page. Right click on the Policy and select Edit. Move the generic* from Available Members to Selected Members.
Configure the Mobile Access VPN
Now to configure the Checkpoint SSL-VPN, bring up the Authentication page under Mobile Access. Select the RADIUS and the WiKID server setup previously.
Click OK. And then the Install Policy button.
Configuring the WiKID Server
Next we can quickly add the Checkpoint to the WiKID server. On the WiKIDAdmin UI, click on the Network Client tab then Create a New Network Client. Give it a name and enter the IP address of the Checkpoint Gaia Security Gateway (or the NPS or Freeradius server if you are using them).
On the next page, enter the Shared Secret you entered on the Checkpoint Secure Gateway for the RADIUS host. And click Add NC.
Now on the WiKID server terminal, restart WiKID using 'wikidctl restart'. That will cache the RADIUS information and on our Virtual Appliance, open the firewall port.
That's it. Now you can test the login with an OTP from a WiKID Software token.