Configuring Check Point VPN to Use PG RADIUS 2FA
You have an installation of PortalGuard / are interested in purchasing PortalGuard and are wondering how to configure PortalGuard to work with your Check Point VPN.
To configure the PortalGuard Server:
1. The PortalGuard server must be setup for RADIUS already. You can check the services to make sure the PortalGuard RADIUS Server service exists. There is some additional steps needed to make sure PortalGuard is ready for RADIUS. If necessary, work with PortalGuard support to get setup.
2. Open the PG Configuration Editor
3. Edit the Bootstrap:
- On the Services -> RADIUS -> Client Configuration tab create a new client
- Enter the Name, IP Address of Checkpoint device and Shared Secret
- Select the option “Return PortalGuard Error Messages
- Click Save
- Click Save
4. On the Security Policies tab:
- Edit each Security policy. On the Actions -> VPN tab make sure to choose what access the users have when connecting via VPN.
- If No Access is selected when they try to connect with the Checkpoint Mobile client it will fail with an error of “Wrong User or Password”
- Exit the Configuration Editor
To configure a Checkpoint Security Gateway to use RADIUS authentication:
- In SmartDashboard, create a RADIUS Host object by selecting Manage > Network Objects > New > Node > Host.
- Name the Host object and assign it the IP address of the PortalGuard
- Create a RADIUS Server object by selecting Manage > Server and OPSEC Applications > New > RADIUS, and configure the following:
- Name the RADIUS Server object.
- Associate the RADIUS Server object with the RADIUS Host object created in step 1
- Assign the Service by selecting NEW-RADIUS on port 1812 service
- Assign the same Shared Secret that you configured on the PortalGuard RADIUS server
- Select RADIUS Ver. 1.0 Compatible for the version
- Select PAP as the Protocol
- Assign the RADIUS server's Priority appropriately if you are employing more than one RADIUS Authentication server (Usually 1)
- Click OK
- Repeat these steps if you need to setup a secondary RADIUS server
- Create a RADIUS Group by selecting Manage > Server and OPSEC Applications > New > RADIUS Group, and configure the following:
- Name the RADIUS Group object.
- On the left search to find the servers you setup in Step 2 and add them to the group on the right
- Click OK.
- Under Network Objects -> Checkpoint -> “Candy” (the Gateway Object), Right-click and select Edit
- Under the Other -> Authentication tab ensure that RADIUS is selected as an enabled authentication scheme.
- Define a user group by selecting Manage > Users & Administrators > New > User Group (for example, RADIUS_2FA)
- The AD group that exists and generic* members should be a member of this group
- Ensure a RADIUS user template exists by selecting Manage > Users and Administrators and changing the Show drop down to templates
- Double-click the Radius_Template (or create if it doesn’t exist)
- On the Groups tab make sure your group created in step 4 belongs to this template (i.e. RADIUS_2FA)
- On the Authentication tab select RADIUS as the authentication scheme and then select PortalGuard_RADIUS_Servers as the group
- Click OK
- On the Mobile Access tab expand Users and Authentication -> Authentication -> LDAP Account Units
- Double-click the AD unit to edit
- On the Authentication tab change the user template to RADIUS_template
- Click OK
- Save, verify, and install the policy.
When connecting with the Checkpoint Mobile VPN client after you log in it will pass the request to PortalGuard. If you are a member of the 2FA policy it will send the OTP password to your phone and the Checkpoint client will prompt for this. After entering it will finish authenticating and connect you.
This link is a reference for Checkpoint where some of this content came from: