Print Download PDF Send Feedback

Previous

Next

Pre-boot Authentication Methods

If the Pre-boot is required on a computer as part of Full Disk Encryption, users must authenticate to their computers in the Pre-boot, before the computer boots. Users can authenticate to the Pre-boot with these methods:

Configure the global settings for the Pre-boot authentication method from the OneCheck User Settings Actions.

Global Pre-boot Authentication Settings

Configure the global settings for the Pre-boot authentication method from the OneCheck User Settings policy rule. The settings configured here apply to all users. You can override the global settings for specified users.

Select an Action to define the default Pre-boot authentication method:

Action

Description

Authenticate users with Password

Users can only authenticate with a username and password.

Authenticate users using Smart Card or Password

Users can authenticate with either username and password or Smart Card.

The password settings are taken from the OneCheck User Settings rules that are assigned to the user.

Right-click an Action and select Edit to configure more settings if you select to use Smart Card authentication.

Important - Before you configure Smart Card authentication only as the default, make sure that you understand the requirements. See Before You Configure Smart Card Authentication. All requirements must be set up correctly for users to successfully authenticate with Smart Cards.

To configure Smart Card only or for Smart Card or Password as the default:

  1. Select one of the Smart Card options as the Default Pre-boot authentication method.
  2. If you select Smart Card, we recommend that you select
    Change authentication method only after user successfully authenticates with a Smart Card

    This lets users authenticate with a password until all of the requirements for Smart Card authentication are set up correctly. After users successfully authenticate one time with a Smart Card, they must use their Smart Card to authenticate. If you configure a user for Smart Card only and do not select this, that user is not able to authenticate to Full Disk Encryption with a password.

    Select one or more Smart Card drivers.

  3. In the Smart Card driver area, select the Smart Card protocol that your organization uses:
    • Not Common Access Card (CAC) - all other formats
    • Common Access Card (CAC) - the CAC format
  4. In the Select Smart Card driver to be deployed area, select the drivers for your Smart Card and Reader. All selected drivers will be installed on endpoint computers when they receive policy updates.

    If you do not see a driver required for your Smart Card, you can:

    • Enter a text string in the Search field.
    • Click Import to import a driver from your computer. If necessary, you can download drivers to import from the Check Point Support Center.
  5. In the Directory Scanner area, select Scan user certificates from Active Directory if you want the Directory Scanner to scan user certificates.
  6. If you selected to scan user certificates, select which certificates the Directory Scanner will scan:
    • Scan all user certificates
    • Scan only user certificates containing the Smart Card Logon OID - The OIDs are: 1.3.6.1.4.1.311.20.2.2.
  7. Click OK.

If necessary, use the Pre-boot Reporting reports to troubleshoot issues with drivers or user certificates.

Changing the User Pre-boot Authentication Settings

By default, users get the Pre-boot authentication method from the global Pre-boot Authentication Settings. You can assign custom authentication settings to users on the User Details page. You can also assign a user password and manually add user certificates on this page.

On E80.60 and higher Endpoint Security Management Servers and E80.60 and higher clients, you can assign Dynamic Token as a user's authentication method.

To change a user Pre-boot authentication method:

  1. Double-click a user in the tree.
  2. In the User Details window, select OneCheck User Settings.
  3. Click Pre-boot Authentication Method.
  4. Click Use specific Pre-boot Authentication Method for this user.
  5. Select an authentication method:
    • Password - This user can only authenticate with a username and password.
    • Smart Card - This user can only authenticate with a Smart Card.
    • Either Smart Card or Password - This user can authenticate with user name and password or a Smart Card.
    • Dynamic Token - This user can only authenticate with the password from a dynamic token.
  6. If you select Smart Card, we recommend that you select
    Change authentication method only after user successfully authenticates with a Smart Card

    This lets users authenticate with a password until all of the requirements for Smart Card authentication are set up correctly. After users successfully authenticate one time with a Smart Card, they must use their Smart Card to authenticate. If you configure a user for Smart Card only and do not select this, that user is not able to authenticate to Full Disk Encryption with a password.

    Select one or more Smart Card drivers.

  7. If you select Dynamic Token, click Select token. The user can only authenticate with the selected token. See Managing Dynamic Tokens.
    • Select a token from the list or click Add or Import to add a new token.
    • Click OK.
  8. Click OK.
  9. On the OneCheck User Settings page:
    • For Password authentication - You can enter a User Password or Change Password.
    • For Smart Card authentication - In the User Certificates area, make sure the user has a valid certificate to use with the Smart Card. If a certificate is not shown, you can click Add to import a certificate.