Before You Configure Smart Card Authentication
Make sure the environment is set up correctly to use Smart Card authentication before you configure it.
To use Smart Card authentication, you must have these components and requirements:
Smart Card Scenarios
Below are scenarios of how to implement Smart Card authentication in organizations with different needs.
Scenario 1: Moving from Password to Smart Card
Scenario
Your organization uses Check Point Endpoint Security with username and password authentication for Full Disk Encryption Pre-boot. You want to move all users to Smart Card authentication for even greater security. Your organization uses Active Directory.
What to do:
- Plan your Smart Card environment:
- Give all users a Smart Card.
- Get a Smart Card certificate for each user and put them in Active Directory.
- Learn which Smart Card driver and Reader driver is necessary for your Smart Card.
- Upgrade all endpoints to this version. Use reports to make sure all users are successfully upgraded.
- Open the tab.
- In a rule, right-click the action and select :
- Select.
- Select .
- Select the drivers required for your Smart Card.
- In the area, click .
The window opens.
- Select .
- Monitor the Smart Card deployment in the Pre-boot Reporting reports.
- If you choose, you can clear the option after all users have logged on with their Smart Card. If a specified user must use password authentication temporarily, you can change the Pre-boot Authentication Settings for the user to .
Scenario 2: Mix of Password and Smart Card Authentication
Scenario
Your organization is preparing to install Check Point Endpoint Security for the first time. Most users will use username and password Pre-boot authentication. Administrators with high administrative privileges will use Smart Card authentication. Your organization does not use Active Directory.
What to do:
- Plan your Smart Card environment.
- Give a physical Smart Card to all users who will use a Smart Card.
- Get a Smart Card certificate for each user who will use a Smart Card.
- Learn which Smart Card driver and Reader driver is necessary for your Smart Card.
- Deploy the Endpoint Security client, including Full Disk Encryption on all endpoints, as described in the Deploying Endpoint Security Clients chapter. Use Reporting reports to make sure that Full Disk Encryption completes the deployment phase and the of each computer is .
- Open the tab.
- In a rule, select one of the actions:
- Select and manually configure the Smart Card users to use Smart Card authentication.
- Select . For added security, you can manually configure each Smart Card user to use Smart Card authentication only.
- Right-click the action and select
- Select the drivers required for your Smart Card and the Smart Card protocol. All users will receive these settings, including those who are configured to use Password authentication.
- In the OneCheck User Settings page for each Smart Card user, in the area, click to import a certificate.
- Monitor the Smart Card deployment in the Pre-boot Reporting reports.
|
Note - You can put all Smart Card users in a virtual group so that it is easy to monitor them and change their policies, if necessary.
|
Notes on Using Smart Cards
- Check Point does not supply Smart Card features to use with Windows. You can use third-party software, supplied by Windows or the Smart Card vendor.
- To use recovery media with a Smart Card-only user, when you create the recovery media, create a temporary user who can authenticate to it.