|
|
|
In This Section: |
To enter the Mobile Access portal and get access to its applications, users defined in SmartDashboard must authenticate to the Security Gateway. Authentication ensures that a user is who he or she claims to be. Users authenticate using one or more of these authentication schemes:
For more about configuring a Security Gateway to use a RADIUS server, see the R80.20 Security Management Administration Guide.
For more about configuring a Security Gateway to use SecurID, see the R80.20 Security Management Server Administration Guide.
A user who tries to authenticate with an authentication scheme that is not configured for the Mobile Access gateway will not be allowed to access resources through the gateway.
Permitted authentication schemes must be configured for each Security Gateway.
On the Security Gateway, configure authentication in the Gateway Properties window of a gateway in Mobile Access > Authentication. If you select an authentication method on this page, that is the method that all users must use to authenticate to Mobile Access. You can configure other authentication methods that users must use for different blades on different pages.
The default authentication scheme is Username and Password.
In the Mobile Access tab in SmartDashboard, select Authentication to show an overview of the Mobile Access Security Gateways and their authentication schemes.
On this page you can also configure settings for Two- Factor Authentication with a DynamicID One Time Password. Configure settings for the gateway or global settings that are used for all gateways that do not have their own DynamicID settings.
To require client certificates for mobile devices:
The gateway window opens and shows the General Properties page.
Use Image-based RADIUS as a secondary authentication factor to authenticate to the Mobile Access Portal. It allows Mobile Access to integrate with third-party authentication services.
The images in this authentication factor are patterns of random numbers in a grid. During authentication, the user selects the numbers in the positions that correspond to a pre-selected pattern.
To use image-based RADIUS as an authentication factor in Mobile Access, you have to configure RADIUS authentication with SmartConsole.
To configure Mobile Access authentication factors in SmartConsole:
The Check Point Gateway window shows.
The Multiple Login Options window shows.
Note - When you return to the Authentication Methods table, make sure RADIUS authentication is not the first factor.
To enable Image-based RADIUS, edit the configuration file, $CVPNDIR/conf/cvpnd.C on each Mobile Access gateway that uses Image-based RADIUS as an authentication factor.
Important - After every change to cvpnd.C, you must restart the cvpn services: cvpnrestart
|
Fields |
Description |
Example |
|---|---|---|
|
Enter true to enable. If set to true, the gateway treats every RADIUS authentication factor found in |
|
|
List that has authentication realm names that are configured in SmartConsole, that contain Image-based RADIUS authentication as a secondary factor. If empty, all the authentication realms with RADIUS as a secondary authentication factor, are treated as an Image-based RADIUS authentication factor. |
(: ( : ("another realm with Image-based RADIUS")) |
|
The URL from the third-party authentication service to get the user grid. Use |
|
The reCAPTCHA service uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities. It prevents malicious logins and at the same time allows authenticated users to pass through easily.
Configure your gateway with Google reCAPTCHA v2 to challenge a user upon multiple, incorrect login attempts. reCAPTCHA appears as a challenge when a user reaches the maximum number of failed attempts.
The reCAPTCHA challenge is compatible with ClusterXL and VSX.
The reCAPTCHA challenge is not supported in the Capsule Workspace.
For supported browsers, see the Google documentation.
To use Mobile Access with reCAPTCHA, you have to register the Mobile Access Portal FQDN with reCAPTCHA.
Go to the Google reCAPTCHA site for instructions.
You have to configure the gateway manually to add reCAPTCHA. To enable reCAPTCHA, the gateway needs:
If you browse to the Portal with an IP address rather than an FQDN, you are redirected to the FQDN link.
Note - In a cluster environment, each gateway has to be configured identically.
To configure the gateway manually, edit this file: $CVPNDIR/conf/cvpnd.C
Important - After every change to cvpnd.C, you must restart the cvpn services: cvpnrestart
This shows:
:isCaptchaEnabled (false) :isCaptchaEnabledForRelogin (false) :captchaFailOpen (false) :captchaPenaltyTimeInSeconds (1800) :captchaFailedAttemptsThreshold (2) :reCaptchaSiteKey () :reCaptchaSecret () :isCaptchaSettingsVerifierEnabled (false) |
Fields |
Description |
|---|---|
|
Enter true to enable. |
|
Determines if reCAPTCHA shows on a re-login flow. |
|
Entrance to the Portal, true or false. This determines when to block users:
False - User is not allowed access to the Portal. See the login log for more information. True - User is allowed access to the Portal. A warning that the reCAPTCHA challenge was not verified shows. See the login log for more information. |
|
The amount of time in seconds that the user in penalty is challenged with reCAPTCHA on each login until the user succeeds to log in. The default is 1800 seconds. |
|
This is the number of times a user tries to log in unsuccessfully before reCAPTCHA shows. The default is two failed login attempts within the pre-determined time frame. Failures within that time frame are counted. If the time frame passes, the failure counter is set to zero again. If the field is set to zero, there is a reCAPTCHA challenge on every login attempt. |
|
The site key from Google. |
|
The secret from Google. |
|
A utility page that checks the reCAPTCHA configuration and the connectivity from the gateway. The settings ( |
Best Practice - If you enable and configure reCAPTCHA, make sure the Capsule Workspace uses certificate authentication. reCAPTCHA is not supported in the Capsule Workspace.
When you are challenged with reCAPTCHA, some javascripts are downloaded to your browser.
On R80.10 and higher Mobile Access and IPsec VPN gateways, you can configure multiple login options. The options can be different for each gateway and each supported Software Blade, and for some client types. Users select one of the available options to log in with a supported client.
By default, all clients connect with the pre-R80.xx method. When you create new login options, newer clients can see them in addition to the pre-R80.xx option, but older clients cannot.
To see which clients support the new multiple login options, see sk111583.
Each configured login option is a global object that can be used with multiple gateways and the Mobile Access and IPsec VPN Software Blades.
Older clients connect with the same login options available on pre-R80 gateways. If you upgrade all or most clients to versions that support multiple login options, you can block older clients from connecting. After you do this, only clients that support multiple login options can connect to the gateway.
By default, Allow older clients to connect to this gateway is selected in Mobile Access > Authentication. If you clear the option, older clients are blocked.
You can choose if newer clients that support multiple login options can connect with the authentication settings defined for older clients.
To block newer clients from using the authentication method defined for older clients:
The Single Authentication Clients Settings window opens.
To let newer clients connect to the gateway with the authentication settings defined for older clients:
Select Allow newer clients that support Multiple Login options to use this authentication method.
To let older clients connect to the R80.10 or higher gateway:
If this is not selected, older clients cannot connect to the gateway.
To change the authentication method for older clients:
The Single Authentication Clients Settings window opens.
To configure global DynamicID settings that all gateways use:
SmartDashboard opens and shows the Mobile Access tab.
You can configure login options from:
The login options selected for Mobile Access clients, such as the Mobile Access portal and Capsule Workspace, show in the Mobile Access > Authentication page in the Multiple Authentication Client Settings table.
The login options selected for VPN clients, such as Endpoint Security VPN, Check Point Mobile for Windows, and SecuRemote, show in the VPN Clients > Authentication page in the Multiple Authentication Client Settings table.
To configure multiple login options for Mobile Access Clients:
The default login options are:
For example, if you select SecurID, select the SecurID Server and Token Card Type. If you select Personal Certificate, select which certificate field the gateway uses to fetch the username. See Certificate Parsing.
For login options created from the Mobile Access > Authentication page, you can select if the login option is available for the Mobile Access Portal, Capsule Workspace, or both.
The login option will only be visible for the clients that you select.
Enter descriptive values to make sure that users understand what information to input. These fields must all be the same language but they do not need to be in English.
When you select Personal Certificate as a Login option, you can also configure what information the gateway sends to the LDAP server to parse the certificate. The default is the DN. You can configure the settings to use the user's email address or a serial number instead.
To change the certificate parsing:
The Authentication Factor window opens.
To permanently delete a Login option:
To see all gateways and their authentication settings:
Multi-factor authentication is a system where two or more different methods are used to authenticate users. Using more than one factor delivers a higher level of authentication assurance. DynamicID is one option for multi-factor authentication.
Users who successfully complete the first-phase authentication can be challenged to provide an additional credential: a DynamicID One Time Password (OTP). The OTP is sent to their mobile communications device (such as a mobile phone) via SMS or directly to their email account.
On R80.x and higher gateways, DynamicID is supported for all Mobile Access and IPsec VPN clients.
When logging in to the Mobile Access portal, users see an additional authentication challenge such as:
Please type the verification code sent to your phone.
Users enter the one time password that is sent to the configured phone number or email address and they are then admitted to the Mobile Access portal.
On the User Portal sign in screen, the I didn’t get the verification code link shows. If the user does not receive an SMS or email with the verification code within a short period of time, the user can click that button to receive options for resending the verification code.
Administrators can allow users to select a phone number or email address from a list. Only some of the phone number digits are revealed. Users can then select the correct phone number or email address from the list and click Send to resend the verification code. By default, users can request to resend the message three times before they are locked out of the Portal.
The Match Word feature ensures that users can identify the correct DynamicID verification code in situations when they may receive multiple messages. Users are provided with a match word on the Login page that will also appear in the correct message. If users receive multiple SMS messages, they can identify the correct one, as it will contain the same match word.
In r77.30 and lower versions, proxy settings for the SMS service provider were configured in Gateway Properties > Mobile Access > HTTP Proxy.
In R80.10 and higher, this is configured in Gateway Properties > Network Management > Proxy.
To access the SMS service provider, configure the proxy settings on the gateway:
The gateway window opens and shows the General Properties page.
If no proxy is defined on this page, no proxy is used for the SMS provider.
Whichever provider you work with, in order for the SMS messages to be sent to users, valid account details must be obtained from the provider and be configured in Mobile Access.
You can make multi-factor authentication with DynamicID a requirement to log in to the gateway. Alternatively, you can make DynamicID a requirement to access specified applications. This flexibility gives you different security clearance levels.
To make multi-factor authentication with DynamicID a requirement to access specified applications, configure a Protection Level to require multi-factor authentication, and associate the Protection Level with Mobile Access applications.
In an environment with multiple Mobile Access gateways, make multi-factor authentication a requirement for a specified gateway, configure multi-factor authentication for that gateway.
On R80.x gateways, DynamicID authentication can be part of a login option that is required for the Mobile Access portal or Capsule Workspace, or both.
The workflow for basic configuration of two-factor authentication via DynamicID is:
Get these required SMS service provider settings from your SMS provider.
The default phone number and email search method is that the gateway searches for phone numbers or email addresses in user records on the LDAP account unit, and then in the phone directory on the local gateway. If the phone number configured is actually an email address, an email will be sent instead of an SMS message. The phone number and email search method can be changed in the Phone Number or Email Retrieval section of the Two-Factor Authentication with DynamicID - Advanced window.
If users authenticate via LDAP, configure the list of phone numbers on LDAP by defining a phone number or email address for each user. By default, Mobile Access uses the Mobile field in the Telephones tab. If the phone number configured is actually an email address, an email will be sent instead of an SMS message.
|
|
|
Configure the list of phone numbers or email addresses on each Mobile Access gateway. For a Mobile Access cluster, configure the directory on each cluster member.
To configure a list of phone numbers on a gateway:
expert and then the expert mode password.$CPDIR/conf/dynamic_id_users_info.lstNote - If this file does not yet exist, create it.
$CPDIR/conf/dynamic_id_users_info.lst, and add to it a list of user names and phone numbers, and/or email addresses. The list must be followed by a blank line. Use this syntax:
|
Parameter |
Meaning |
|---|---|
user name |
Either a user name or, for users that log in using a certificate, the full DN of the certificate. |
phone number |
All printable characters can be used in the phone number, excluding the space character, which is not allowed. Only the digits are relevant. |
email address |
A valid email address in the format user@domain.com |
Example of acceptable ways to enter users and their phone numbers or email addresses in $CPDIR/conf/dynamic_id_users_info.lst
|
You can let users choose from multiple phone numbers when resending the verification code.
To configure choice of numbers:
Enter one number in the LDAP directory in the Mobile field and one or more in the gateway configuration file:$CPDIR/conf/dynamic_id_users_info.lst
Enter multiple phone numbers separated by white space in the gateway configuration file:$CPDIR/conf/dynamic_id_users_info.lst
For example, user_a 917-555-5555 603-444-4444
Note - If the configuration file does not yet exist, create it.
Configure the Authentication settings to make two-factor authentication necessary for all mobile devices.
This table explains parameters used in the SMS Provider and Email Settings field. The value of these parameters is automatically used when sending the SMS or email.
Parameter |
Meaning |
$APIID |
The value of this parameter is the API ID. |
$USERNAME |
The value of this parameter is the username for the SMS provider. |
$PASSWORD |
The value of this parameter is the password for the SMS provider. |
$PHONE |
User phone number, as found in Active Directory or in the local file on the gateway, including digits only and without a + sign. |
The email address of the user as found in Active Directory or in the local |
|
$MESSAGE |
The value of this parameter is the message configured in the Advanced Two-Factor Authentication Configuration Options in SmartDashboard. |
$RAWMESSAGE |
The text from $Message but without HTTP encoding. |
To configure DynamicID settings for all gateways in SmartDashboard:
SmartDashboard opens and shows the Mobile Access tab.
https://api.example.com/http/sendmsg?api_id=$APIID&user=$USERNAME&password=$PASSWORD&to=$PHONE&text=$MESSAGE
mail:TO=$EMAIL;SMTPSERVER=smtp.example.com;FROM=sslvpn@example.com;BODY=$RAWMESSAGE
mail:TO=$EMAIL;SMTPSERVER=smtps://username:password@smtp.example.com;FROM=sslvpn@example.com;BODY=$RAWMESSAGE
mail:TO=$EMAIL;SSL_REQUIRED;SMTPSERVER=smtp://username:password@smtp.example.com;FROM=sslvpn@example.com;BODY=$RAWMESSAGE
mail:TO=$EMAIL;SSL_REQUIRED;SMTPSERVER=smtp://username:password@smtp.example.com:587;FROM=sslvpn@example.com;BODY=$RAWMESSAGE
sms:https://api.example.com/sendsms.php?username=$USERNAME&password=$PASSWORD&phone=$PHONE&smstext=$MESSAGE mail:TO=$EMAIL;SMTPSERVER=smtp.example.com;FROM=sslvpn@example.com;BODY=$RAWMESSAGE
Note - If the SMTP username and password contain special characters, use these:
! |
# |
$ |
% |
& |
' |
( |
%21 |
%23 |
%24 |
%25 |
%26 |
%27 |
%28 |
) |
* |
+ |
, |
/ |
: |
; |
%29 |
%2A |
%2B |
%2C |
%2F |
%3A |
%3B |
= |
? |
@ |
[ |
] |
|
|
%3D |
%3F |
%40 |
%5B |
%5D |
|
|
To configure the Mobile Access Security Gateway to let computers and devices use DynamicID:
The gateway window opens and shows the General Properties page.
To test the two-factor authentication via DynamicID, after completing the configuration:
Make sure that you are logged in to the Mobile Access portal.
To configure settings for a specified gateway:
The gateway window opens and shows the General Properties page.
The Two-Factor Authentication with DynamicID window opens.
To configure global settings for all the gateways:
SmartDashboard opens and shows the Mobile Access tab.
The Two-Factor Authentication with DynamicID window opens.
By default, the text of the message is "Mobile Access DynamicID one time password:". The message can contain the template fields shown in the following table to include the user's name and prompt users to use enter a One Time Password.
For example, the message could say: $NAME, use the verification code $CODE to enter the portal.
Parameter |
Meaning |
|---|---|
|
User name used in the first phase of authentication to the portal. |
|
Replaced with the One Time Password. By default, $CODE is added to the end of the message. |
$CPDIR/conf/dynamic_id_users_info.lst Note - If the directory file does not exist yet, create it.
$CPDIR/conf/dynamic_id_users_info.lst The DynamicID troubleshooting and match word features are configured in GuiDBedit Tool (see sk13009) or dbedit (see skI3301).
The GuiDBedit Tool table to edit depends on the Two Factor Authentication with SMS One Time Password (OTP) setting that you configured in SmartDashboard in the Mobile Access Gateway Properties page > Authentication.
This table shows the DynamicID features that can be configured, and where in GuiDBedit Tool to configure them.
Feature |
Field Name/s to Edit |
Value Options |
Match Word |
|
true: match word provided false: match word not provided (default) |
Resend message |
|
true: enable resend SMS feature (default) false: disable resend SMS feature |
Display multiple phone numbers |
enable_end_user_select_phone_num |
true: enable option to choose from multiple phone numbers or email addresses when resending the verification code (default) false: one phone number or email address from the LDAP server or local file is used automatically without choice |
Conceal displayed phone numbers |
Edit both:
and
|
true: conceal part of the phone number or email address (default) false: display the full phone number or email address 1-20: Choose the amount of digits to reveal (default is 4) |
After editing the values in GuiDBedit Tool, save the changes, connect to SmartDashboard, and install the policy.
By default, users can request to resend the verification code message three times by clicking the I didn’t get the verification code link before they are locked out of the Mobile Access Portal. The number of times the message can be resent is configured using the cvpnd_settings command from the Mobile Access CLI in expert mode.
The instructions below relate to actually resending the verification code message. The number of times users can try to input the verification code is configured in SmartDashboard in the Two Factor Authentication Advanced window.
To change the number of times the verification code message can be resent to 5, run:
|
You can replace "5" with any other number to configure a different amount of retries.
After making the changes, run cvpnrestart to activate the settings.
If the Mobile Access gateway is part of a cluster, be sure to make the same changes on each cluster member.
To configure two-factor authentication Globally on, with custom settings per gateway:
To configure two-factor authentication per application:
SmartDashboard opens and shows the Mobile Access tab.
By default, it is recommended to use a secure (https) protocol for communication with the SMS provider. Mobile Access also validates the provider server certificate using a predefined bundle of trusted CAs.
If your SMS provider uses a non-trusted server certificate you can do one of the following:
$CVPNDIR/var/ssl/ca-bundle/ and run:$CVPNDIR/bin/rehash_ca_bundle$CVPNDIR/conf/cvpnd.C and replacing the SmsWebClientProcArgs value with ("-k").If your SMS provider is working with the non-secure http protocol, edit the file $CVPNDIR/conf/cvpnd.C and replace the SmsWebClientProcArgs value with ("").
On Pre-R80 gateways Multiple Log-in options is called Multiple Realms and is configured in GuiDBedit Tool (see sk13009) or dbedit (see skI3301). It gives support for multiple authentication realms in the Mobile Access Portal. If you use this feature, we recommend that you upgrade your gateways to R80.20 and configure Multiple Login Options for R80.x Gateways in SmartConsole.
If you upgrade your server and gateways to R80.20, see sk115856 for information about upgrading the multi-realms configuration.
If you upgrade your Security Management Server to R80.x and do not upgrade the gateways, reconfigure Multiple Realms in GuiDBedit Tool after the upgrade.
If you configure authentication for a blade from the main Security Gateway Legacy Authentication page, the Security Gateway searches for users in a standard way when they try to authenticate. The gateway searches in this order:
If more than one Account Unit exists, the gateway searches in all at the same time. With multiple servers, the priority for servers can be set only in the scope of one account unit, but not between several account units.
To open the Session window:
SmartDashboard opens and shows the Mobile Access tab.
Having a single user logged in to Mobile Access more than once, from two different locations for example, is a potential security issue.
Simultaneous login prevention enables a gateway to automatically disconnect a remote user who is logged more than once.
When simultaneous login prevention is enabled, and a user's authentication information used to log in from two different computers, only the later login is considered legitimate, and the earlier session is logged out.
Simultaneous login prevention is configured in SmartDashboard from the Mobile Access tab by selecting Additional Settings > Session.
The options are:
Simultaneous login detection is disabled. This is the default option.
The earlier user is disconnected and the later user is allowed. The earlier user is logged out. For Mobile Access portal users, the following message appears: "Your Mobile Access session has timed out. would you like to sign in again now?". The later user is not informed that an earlier user is logged in.
The later user is informed that an earlier user is logged in, and is given the choice of canceling the login and retaining the existing session, or logging in and terminating the existing session. If the existing session is terminated, the user is logged out with the message: "Your Mobile Access session has timed out. would you like to sign in again now?".
To track simultaneous login events, select All Events in the Tracking section of the Additional Settings > Session page.
When the gateway disconnects a user, the gateway records a log of the disconnection, containing the connection information of both logins.
All disconnect and connect events create a corresponding entry in the traffic log. The following values of the authentication status field relate to simultaneous logins:
These issues may arise in connection with simultaneous login:
For Endpoint Connect users, Mobile Access does not prevent simultaneous login. This is equivalent to the User can have several simultaneous logins to the portal option. An Endpoint Connect user cannot log out another user with the same user name, and cannot be logged out by another user with the same user name.
With User can have only a single simultaneous login to the portal selected and Inform user before disconnecting previous sessions not selected SecureClient Mobile users can be logged off by another user, and can log off other users.
However, the Inform user before disconnecting his previous session option does not work, because no message can be sent to those users. User can be logged off, but cannot log off other users.
Once authenticated, remote users work in a Mobile Access session until they log out or the session terminates. Security best practices provide for limiting the length of active and inactive Mobile Access sessions to prevent abuse of secure remote resources.
Note - Mobile Access uses the system time to keep track of session timeouts. Changing the system time may disrupt existing session timeouts. Therefore, it is recommended to change the system time during low activity hours.
Mobile Access provides two types of session timeouts, both of which are configured in SmartDashboard from the Mobile Access tab by selecting Additional Settings > Session.
For Capsule Clients:
The Roaming option allows users to change their IP addresses during an active session.
Note - SSL Network Extender users can always change IP address while connected, regardless of the Roaming setting.
Configure Mobile Access to log session activity, including login attempts, logouts, timeouts, activity states and license expiration warnings.
Having multiple users on the same machine accessing the Mobile Access portal can be a security hazard. A user logged in to the Mobile Access portal can open a new browser window and get the access of the earlier session. Then the user can browse directly to the Mobile Access portal without entering the login credentials again.
To make sure authentication credentials are not stolen by others, recommend to users that they log off or close all browser windows when done using a browser.
Select a main authentication method for pre- R80.x gateways. If you also select Require client certificate when using Mobile applications on the Authentication page, you require two-factor authentication for Capsule Workspace users: the main authentication method, and certificate.
With these settings, users authenticate to the Mobile Access portal with only the main authentication method.
Capsule Workspace users receive the certificate information and register only one time. They provide the main authentication method credentials one time per session. Users might also need to enter a passcode, based on settings in the Capsule Workspace Settings in the Mobile Access tab.
To configure two-factor authentication with certificates for mobile devices on pre-R80.x gateways:
To configure two-factor authentication with the Mobile Access portal in pre-R80 gateways, see sk86240.
You can configure two factor authentication with certificate on an R80.x gateway in these ways:
To create a new multi-factor login option that includes certificates:
The Display Name represents this Login Option to the user upon login and can be a descriptive name.
To use the built-in default Login Option Cert_Username_Password:
Note - The Login Options configured in the Multiple Authentication Clients Settings list are only available to clients that support multiple login options. To see which clients support the new multiple login options, see sk111583.
When more than one Login Option is configured, and users connect with clients that support Multiple Login Options, users select a Login Option to use when they log in.
In the Mobile Access portal, in the login page, users see a drop-down list with all available login options, shown by their Display Name.
In the Capsule Workspace mobile application, users select the Login Option on the first connection to the gateway. On subsequent connections, the same login option is shown automatically.