Two Factor Authentication

Check Point Captive Portal authenticates users easily with a web interface. When users try to access a protected resource, they are prompted to enter authentication credentials in a browser.

Captive Portal Two Factor Authentication adds support for an additional challenge-response authentication from the user through the RADIUS protocol.

Follow all the procedures below to configure Captive Portal Two Factor Authentication.

To configure a RADIUS server object in SmartConsole:

1. In the top left corner, click Objects > Object Explorer.

   The Object Explorer window opens.

2. In the left navigation tree, click Servers.
3. From the toolbar, click New > Server > More > RADIUS.
4. Enter a name for your designated RADIUS server.
5. In the Host field, add the appropriate host object with your RADIUS server IP address.

   If the host is not yet defined, click the star icon > Host, and enter the host Name and IP Address.

6. In the Version field, select the appropriate RADIUS version.
7. In the Protocol field, select the appropriate authentication protocol.
8. Click OK.
9. Close the Object Explorer window.
10. Install the Access Policy.

To configure Captive Portal in SmartConsole:

1. From the left Navigation Toolbar, click Gateways & Servers.
2. Double-click the Security Gateway object.
3. On the General Properties pane, select the Identity Awareness Software Blade.

   Identity Awareness Configuration Wizard opens.

4. On the Methods For Acquiring Identity wizard screen, select the Browser-Based Authentication.
5. Click Next.
6. On the Integration With Active Directory wizard screen, select I do not wish to configure an Active Directory at this time.
7. Click Next.
8. On the Browser-Based Authentication Settings wizard screen, configure the accessibility settings.
9. Click Next.
10. Click Finish to close the Identity Awareness Configuration Wizard.
11. In the left navigation tree, click Identity Awareness.
12. Next to the Browser-Based Authentication check box, click Settings.
13. In the Authentication Settings section, click Edit.
14. In the Authentication Method section, select RADIUS and then select the RADIUS server object you created earlier.
15. In the User Directories section, select the LDAP users option, if user groups will be fetched directly from an LDAP server.

    Otherwise, clear this option.

16. Click OK to close the Security Gateway object properties.
17. Install the Access Policy.

To configure a generic user profile in the Legacy SmartDashboard:

1. In SmartConsole, click Manage & Settings > Blades.
2. In the Mobile Access section, click Configure in SmartConsole.

   Legacy SmartDashboard opens.

3. In the bottom left Network Objects pane, and click Users.

   

4. Right-click on an empty space and select New > External User Profile > Match all users.
5. Configure the External User Profile properties:
   1. On the General Properties page:

      In the External User Profile name field, leave the default name generic*.

      In the Expiration Date field, set the applicable date.

   2. On the Authentication page:

      From the Authentication Scheme drop-down list, select and configure the applicable option.

   3. On the Location, Time, and Encryption pages, configure other applicable settings.
   4. Click OK.
6. From the top toolbar, click Update (or press Ctrl + S).
7. Close the SmartConsole.
8. In SmartConsole, install the Access Policy.

After users enter their credentials, the user data is retrieved from the LDAP server, the RADIUS server, or both.

To configure Access Roles that are based on LDAP users and groups:

1. Make sure you have an LDAP Account Unit object for the LDAP server:
   1. In SmartConsole, in the top left corner, go to Objects > Object Explorer.

      Object Explorer window opens.

   2. In the left navigation tree, click Servers.

   Otherwise, from the toolbar, click New > Server > More > LDAP Account Unit, and configure the object.

2. Configure Access Roles based on LDAP users and LDAP groups.
3. Install the Access Policy.

To configure Access Roles that are based on RADIUS groups:

1. Configure the Global Properties:
   1. In SmartConsole, go to Menu > Global properties.

      The Global Properties window opens.

   2. In the left navigation tree, click Advanced > Configure.

      The Advanced Configuration window opens.

   3. In the left navigation tree, click SecuRemote/SecureClient.
   4. Select add_radius_groups.
   5. Click OK to close the Advanced Configuration window.
   6. Click OK to close the Global Properties window.
2. Configure the internal user groups:
   1. In the top left corner, click Objects > Object Explorer.

      Object Explorer window opens.

   2. In the left navigation tree, click Users.
   3. From the toolbar, click New > User > User Group.
   4. For each RADIUS group <grp> on your RADIUS server, create an internal user group named RAD_<grp> (case-sensitive).

      For example, for RADIUS group MyGroup, create an internal user group named RAD_MyGroup.

   5. Close the Object Explorer window.
3. Configure Access Roles with the internal user groups you created in the previous step.
4. Install the Access Policy.