Locking down critical infrastructure with two-factor authentication is very important. This tutorial shows you how to require two-factor auth for administrators of Check Point Security Gateways. Note that you can either have the Checkpoints talk directly to WiKID using RADIUS or run the authentications through your directory using NPS or another RADIUS server. The benefit of the latter is that disabling the user in AD would remove their access. Only having to disable a user in one place is a great security mechanism.

Start the SmartConsole. Assuming you haven't setup a RADIUS or WiKID server yet, click on the menu button and select Manage and then Servers and OPSEC Applications. Click New and select RADIUS. Enter the information for the WiKID Server. You may need to click New for Host and enter that information too.

If you are using a RADIUS server such as NPS, then enter that IP address or hostname.

When finished, click OK.

Now to add or edit an administrator. From the main menu, select Manage and Users and Administrators. Add or edit an existing administrator.

Now, to require two-factor authentication, click on the Authentication page and specify RADIUS.

Click Ok, then close out the next dialogue and install the policy.

Note that you can have an admin account that does not use RADIUS in case your RADIUS server has issues. It would be easier if you could create an administrators group that used RADIUS instead of having to do each individual user but that doesn't seem to be an option.