Two Factor Authentication
Check Point Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication. authenticates users easily with a web interface. When users try to access a protected resource, they are prompted to enter authentication credentials in a browser.
Captive Portal Two Factor Authentication adds support for an additional challenge-response authentication from the user through the RADIUS protocol.
Follow all the procedures below to configure Captive Portal Two Factor Authentication.
-
Configure a RADIUS server object in SmartConsole
-
In the top left corner, click Objects > Object Explorer.
The Object Explorer window opens.
-
In the left navigation tree, click Servers.
-
From the toolbar, click New > Server > More > RADIUS.
-
Enter a name for your designated RADIUS server.
-
In the Host field, add the appropriate host object with your RADIUS server IP address.
If the host is not yet defined, click the star icon > Host, and enter the host Name and IP Address.
-
In the Version field, select the appropriate RADIUS version.
-
In the Protocol field, select the appropriate authentication protocol.
-
Click OK.
-
Close the Object Explorer window.
-
Install the Access Control Policy.
-
-
Configure Captive Portal in SmartConsole
-
From the left Navigation Toolbar, click Gateways & Servers.
-
Double-click the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.
-
On the General Properties pane, select the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities..
Identity Awareness Configuration Wizard opens.
-
On the Methods For Acquiring Identity wizard screen, select the Browser-Based Authentication Authentication of users in Check Point Identity Awareness web portal - Captive Portal, to which users connect with their web browser to log in and authenticate..
-
Click Next.
-
On the Integration With Active Directory wizard screen, select I do not wish to configure an Active Directory at this time.
-
Click Next.
-
On the Browser-Based Authentication Settings wizard screen, configure the accessibility settings.
-
Click Next.
-
Click Finish to close the Identity Awareness Configuration Wizard.
-
In the left navigation tree, click Identity Awareness.
-
Next to the Browser-Based Authentication check box, click Settings.
-
In the Authentication Settings section, click Edit.
-
In the Authentication Method section, select RADIUS and then select the RADIUS server object you created earlier.
-
In the User Directories section, select the LDAP users option, if user groups will be fetched directly from an LDAP server.
Otherwise, clear this option.
-
Click OK to close the Security Gateway object properties.
-
Install the Access Control Policy.
-
-
Configure a generic user profile in the Legacy SmartDashboard
-
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Manage & Settings > Blades.
-
In the Mobile Access section, click Configure in SmartDashboard.
-
In the bottom left Network Objects pane, and click Users.
-
In the bottom left pane, right click on an empty space below the last folder in the pane and select New > External User Profile > Match all users.
-
Configure the External User Profile properties:
-
On the General Properties page:
In the External User Profile name field, leave the default name generic*.
In the Expiration Date field, set the applicable date.
-
On the Authentication page:
From the Authentication Scheme drop-down list, select and configure the applicable option.
-
On the Location, Time, and Encryption pages, configure other applicable settings.
-
Click OK.
-
-
From the top toolbar, click Update (or press Ctrl + S).
-
Close SmartDashboard.
-
In SmartConsole, install the Access Control Policy.
After users enter their credentials, the user data is retrieved from the LDAP server, the RADIUS server, or both.
-
-
Configure Access Roles that are based on LDAP users and groups
-
Make sure you have an LDAP Account Unit object for the LDAP server:
-
In SmartConsole, in the top left corner, go to Objects > Object Explorer.
Object Explorer window opens.
-
In the left navigation tree, click Servers.
Otherwise, from the toolbar, click New > Server > More > LDAP Account Unit, and configure the object.
-
-
Configure Access Roles based on LDAP users and LDAP groups.
-
Install the Access Control Policy.
-
-
Configure Access Roles that are based on RADIUS groups
-
Configure the Global Properties:
-
In SmartConsole, go to > Global properties.
The Global Properties window opens.
-
In the left navigation tree, click Advanced > Configure.
The Advanced Configuration window opens.
-
In the left navigation tree, click SecuRemote/SecureClient.
-
Select add_radius_groups.
-
Click OK to close the Advanced Configuration window.
-
Click OK to close the Global Properties window.
-
-
Configure the internal user groups:
-
In the top left corner, click Objects > Object Explorer.
Object Explorer window opens.
-
In the left navigation tree, click Users.
-
From the toolbar, click New > User > User Group.
-
For each RADIUS group
<grp>
on your RADIUS server, create an internal user group namedRAD_<grp>
(case-sensitive).For example, for RADIUS group
MyGroup
, create an internal user group namedRAD_MyGroup
. -
Close the Object Explorer window.
-
-
Configure Access Roles with the internal user groups you created in the previous step.
-
Install the Access Control Policy.
-