Skip to main content

How to add two-factor authentication from WiKID to your CheckPoint VPN

We assume that you have already installed Check Point VPN-1/FireWall-1. This document provides information on how to enable the Radius interface on FireWall-1 to accept one-time passwords from the WiKID Strong Authentication System.

Start by adding the workstation object for a Radius server in the Check Point Policy Editor:

  • Click on 'Manage' then 'Network Objects'.
  • Click on 'New' then 'Workstation'.
  • In the Workstation Properties window, enter the workstation name, IP Address, choose 'Host' for Type. For clarity, enter "WiKID two-factor authentication" or some such for a comment.
  • When finished, click 'OK'

Configure the WiKID Strong Authentication Radius interface in the Check Point Policy Editor.

  • Click on 'Manage' then 'Servers'.
  • Click on 'New', from the menu select Radius. A Radius Server Properties window should be displayed.
  • In the 'Name' field assign a name for the Radius server.
  • In the 'Comment' field enter comments of your choice, such as 'WiKID Radius interface'.
  • In the 'Host' field enter the host name that was configured above.
  • In the 'Service' field select 'New Radius'. 'New Radius should use port 1812, which is the default for WiKID. If need be, you can change to port 1645 on WiKID but it is not recommended.
  • Enter a value for a shared secret.
  • Select 'Radius version 1.0 Compatible'.
  • Give this server a priority if multiple Radius servers are configured.
  • When finished, click 'OK'

On the WiKID Server, be sure to enable Radius:

  • Click on the 'Configuration' tab in the WiKIDAdmin web interface.
  • Click on 'Enable Protocols'
  • If Radius is not Enabled, click on it.
  • You should be able to leave the settings as is and click 'Initialize'.

Next we add a specific network client for the Checkpoint firewall/vpn:

  • Click on the 'Network Client' Tab
  • Click on 'Create New Network' Client
  • Create a name such as "Checkpoint Firewall/VPN"
  • Choose a WiKID domain to the network client
  • Select 'Radius as' the protocol
  • Click 'Add'
  • On the next page, enter the Shared Secret created above. Leave the Return Attributes empty (unless you know what you're doing)
  • Click 'Add NC'
  • From a terminal window, stop and start the WiKID Strong Authentication Server. This will open up the firewall port to the new network client.

That is it. Now you should have properly configured two-factor authentication for your CheckPoint VPN.

The WiKID Strong Authentication System is a very reasonably priced two-factor authentication solution. We invite you to learn more about our technology and architecture and to download and test the Enterprise version.

Keywords:



 

Copyright © WiKID Systems, Inc. 2017 | Two-factor Authentication