User Authentication in Mobile Access

User Authentication to the Mobile Access Portal

To enter the Mobile Access portal and get access to its applications, users defined in SmartDashboard must authenticate to the Security Gateway. Authentication ensures that a user is who he or she claims to be. Users authenticate using one or more of these authentication schemes:

  • Username and password - Users enter a user name and password.

  • Client Certificates - Digital Certificates are issued by the Internal Certificate Authority or by a third party OPSEC certified Certificate Authority.

  • RADIUS Server - Remote Authentication Dial-In User Service (RADIUS) is an external authentication scheme. The Security Gateway forwards authentication requests by remote users to the RADIUS server. The RADIUS server, which stores user account information, authenticates the users. The RADIUS protocol uses UDP for communications with the Security Gateway. RADIUS Servers and RADIUS Server Group objects are defined in SmartDashboard.

    For more about configuring a Security Gateway to use a RADIUS server, see the R80.40 Security Management Administration Guide.

  • SecurID - SecurID is a proprietary authentication method of RSA Security. An external SecurID server manages access by changing passwords every few seconds. Each user carries a SecurID token, a piece of hardware or software that is synchronized with the central server and displays the current password. The Security Gateway forwards authentication requests by remote users to the RSA Authentication Manager.

    For more about configuring a Security Gateway to use SecurID, see the R80.40 Security Management Administration Guide.

  • DynamicID One Time Password - DynamicID One Time Password can be required as a secondary or later authentication method (not the first). When this is configured, users who successfully complete the first-phase or phases of authentication are challenged to enter an additional credential: a DynamicID One Time Password (OTP). The OTP is sent by email or text message to a mobile phone, or other mobile communication device.

  • Defined on user record (Legacy Authentication) - The authentication method for each user is defined on the user record. For internal users, it is in the Authentication page of the User Properties. For LDAP users, it is on the user record in LDAP.

A user who tries to authenticate with an authentication scheme that is not configured for the Mobile Access Security Gateway will not be allowed to access resources through the Security Gateway.

Configuring Authentication for Security Gateways R77.30 and lower

Permitted authentication schemes must be configured for each Security Gateway.

On the Security Gateway, configure authentication in the Gateway Properties window of a Security Gateway in Mobile Access > Authentication. If you select an authentication method on this page, that is the method that all users must use to authenticate to Mobile Access. You can configure other authentication methods that users must use for different blades on different pages.

The default authentication scheme is Username and Password.

In the Mobile Access tab in SmartDashboard, select Authentication to show an overview of the Mobile Access Security Gateways and their authentication schemes.

On this page you can also configure settings for Two- Factor Authentication with a DynamicID One Time Password. Configure settings for the Security Gateway or global settings that are used for all Security Gateways that do not have their own DynamicID settings.

Requiring Certificates for Mobile Devices on Security Gateways R77.30 and lower

To require client certificates for mobile devices:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The Security Gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Mobile Access > Authentication.

  3. Make sure that the Authentication Method is one of these options:

    • Username and password

    • RADIUS

    • SecurID

  4. From the Certificate Authentication for mobile devices section, click Require client certificate when using ActiveSync applications or Mobile Mail.

  5. Click OK.

  6. Install the policy.

Image-Based RADIUS Authentication

Use Image-based RADIUS as a secondary authentication factor to authenticate to the Mobile Access Portal. It allows Mobile Access to integrate with third-party authentication services.

The images in this authentication factor are patterns of random numbers in a grid. During authentication, the user selects the numbers in the positions that correspond to a pre-selected pattern.

Configuring Image-Based RADIUS

To use image-based RADIUS as an authentication factor in Mobile Access, you have to configure RADIUS authentication with SmartConsole.

To configure Mobile Access authentication factors in SmartConsole:

  1. In SmartConsole, from the Gateways & Servers tab, double-click the Security Gateway.

    The Check Point Security Gateway window shows.

  2. From the menu, click Mobile Access > Authentication.

  3. In the Multiple Authentication Client Settings table, add a new login option.

    1. Click Add > New.

      The Multiple Login Options window shows.

    2. In the Authentication Methods table, click Add to create Authentication Factors.

    3. When the Authentication Factor window opens, click RADIUS.

    4. Under Customize Display, add an appropriate description to the Headline.

      Note - When you return to the Authentication Methods table, make sure RADIUS authentication is not the first factor.

Enabling Image-Based RADIUS on Security Gateways

To enable Image-based RADIUS, edit the configuration file, $CVPNDIR/conf/cvpnd.C on each Mobile Access Security Gateway that uses Image-based RADIUS as an authentication factor.

Important - After every change to cvpnd.C, you must restart the cvpn services: cvpnrestart

:isImageBasedRadiusEnabled (false)

:ImageBasedRadiusRealmNames (

)

:ImageBasedRadiusURL ("")

Fields

Description

Example

:isImageBasedRadiusEnabled (true)

:isImageBasedRadiusEnabled (false)

Enter true to enable.

Enter false to disable.

If set to true, the Security Gateway treats every RADIUS authentication factor found in :ImageBasedRadiusRealmNames as an Image-based RADIUS authentication factor.

 

:ImageBasedRadiusRealmNames

List that has authentication realm names that are configured in SmartConsole, that contain Image-based RADIUS authentication as a secondary factor.

If empty, all the authentication realms with RADIUS as a secondary authentication factor, are treated as an Image-based RADIUS authentication factor.

(: ("realm name as configured")

: ("another realm with Image-based RADIUS"))

:ImageBasedRadiusURL

The URL from the third-party authentication service to get the user grid.

Use $$username as a placeholder for the username.

("https://<authentication_provider_url>?<query_string>&username=$$username")

Google reCAPTCHA Challenge

The reCAPTCHA service uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities. It prevents malicious logins and at the same time allows authenticated users to pass through easily.

Configure your Security Gateway with Google reCAPTCHA v2 to challenge a user upon multiple, incorrect login attempts. reCAPTCHA appears as a challenge when a user reaches the maximum number of failed attempts.

The reCAPTCHA challenge is compatible with ClusterXL and VSX.

The reCAPTCHA challenge is not supported in the Capsule Workspace.

For supported browsers, see the Google documentation.

Registering Mobile Access for reCAPTCHA on Google

To use Mobile Access with reCAPTCHA, you have to register the Mobile Access Portal FQDN with reCAPTCHA.

Go to the Google reCAPTCHA site for instructions.

Adding reCAPTCHA to the Mobile Access Portal

You have to configure the Security Gateway manually to add reCAPTCHA. To enable reCAPTCHA, the Security Gateway needs:

  • Internet connectivity

  • A DNS configured

  • Portal URL configuration with an FQDN and not an IP addres

    If you browse to the Portal with an IP address rather than an FQDN, you are redirected to the FQDN link.

    Note - In a cluster environment, each Security Gateway has to be configured identically.

To configure the Security Gateway manually, edit the $CVPNDIR/conf/cvpnd.C file.

Important - After every change in the cvpnd.C file, you must restart the CVPN services with the cvpnrestart command.

This shows:

:isCaptchaEnabled (false)

:isCaptchaEnabledForRelogin (false)

:captchaFailOpen (false)

:captchaPenaltyTimeInSeconds (1800)

:captchaFailedAttemptsThreshold (2)

:reCaptchaSiteKey ()

:reCaptchaSecret ()

:isCaptchaSettingsVerifierEnabled (false)

Fields

Description

:isCaptchaEnabled (true)

:isCaptchaEnabled (false)

Enter true to enable.

Enter false to disable.

:IsCaptchaEnabledForRelogin(true)

:IsCaptchaEnabledForRelogin(false)

Determines if reCAPTCHA shows on a re-login flow.

Enter true to enable.

Enter false to disable.

:captchaFailOpen(true)

:captchaFailOpen(false)

Entrance to the Portal.

Enter true to enable.

Enter false to disable.

This determines when to block users:

  • No connectivity from the Security Gateway to Google

  • Invalid or missing a secret key

  • Invalid or missing a validation response from Google

  • Portal URL is not configured with an FQDN

False - User is not allowed access to the Portal. See the login log for more information.

True - User is allowed access to the Portal. A warning that the reCAPTCHA challenge was not verified shows. See the login log for more information.

:captchaPenaltyTimeInSeconds (1800)

The amount of time in seconds that the user in penalty is challenged with reCAPTCHA on each login until the user succeeds to log in. The default is 1800 seconds.

:captchaFailedAttemptsThreshold (2)

This is the number of times a user tries to log in unsuccessfully before reCAPTCHA shows.

The default is two failed login attempts within the pre-determined time frame. Failures within that time frame are counted. If the time frame passes, the failure counter is set to zero again.

If the field is set to zero, there is a reCAPTCHA challenge on every login attempt.

:reCaptchaSiteKey ()

The site key from Google.

:reCaptchaSecret ()

The secret from Google.

:isCaptchaSettingsVerifierEnabled(true)

:isCaptchaSettingsVerifierEnabled(false)

A utility page that checks the reCAPTCHA configuration and the connectivity from the Security Gateway.

Enter true to enable the page.

Enter false to disable the page.

To see this page, go to: https://<Portal URL>/Login/verifyCaptchaSettings

Best Practice - If you enable and configure reCAPTCHA, make sure the Capsule Workspace uses certificate authentication. reCAPTCHA is not supported in the Capsule Workspace.

When you are challenged with reCAPTCHA, some Java scripts are downloaded to your browser.

Multiple Login Options for Security Gateways R77.30 and lower

On Security Gateways R80.10 and higher, you can configure multiple login options for Mobile Access and IPsec VPN.

The options can be different for each Security Gateway and each supported Software Blade, and for some client types. Users select one of the available options to log in with a supported client.

By default, all clients connect with the method for R77.30 and lower. When you create new login options, newer clients can see them in addition to the option of R77.30 and lower, but older clients cannot.

To see which clients support the new multiple login options, see sk111583.

Each configured login option is a global object that can be used with multiple Security Gateways and the Mobile Access and IPsec VPN Software Blades.

Compatibility with Older Clients

Older clients connect with the same login options available on Security Gateways R77.30 and lower. If you upgrade all or most clients to versions that support multiple login options, you can block older clients from connecting. After you do this, only clients that support multiple login options can connect to the Security Gateway.

By default, Allow older clients to connect to this gateway is selected in Mobile Access > Authentication. If you clear the option, older clients are blocked.

You can choose if newer clients that support multiple login options can connect with the authentication settings defined for older clients.

Configuring the Authentication Method for Newer Clients

To block newer clients from using the authentication method defined for older clients:

  1. In the Gateway Properties, select Mobile Access > Authentication or VPN Clients > Authentication.

  2. In the Compatibility with Older Clients section, click Settings.

    The Single Authentication Clients Settings window opens.

  3. Clear Allow newer clients that support Multiple Login Options to use this authentication method.

  4. Click OK.

  5. Install policy.

To let newer clients connect to the Security Gateway with the authentication settings defined for older clients:

Select Allow newer clients that support Multiple Login options to use this authentication method.

Configuring Authentication Settings for Older Clients

To let older clients connect to the Security Gateways R80.10 and higher:

  1. In the Gateway Properties, select Mobile Access > Authentication or VPN Clients > Authentication.

  2. Select Allow older clients to connect to this gateway.

    If this is not selected, older clients cannot connect to the Security Gateway.

To change the authentication method for older clients:

  1. In the Gateway Properties, select Mobile Access > Authentication or VPN Clients > Authentication.

  2. In the Compatibility with Older Clients section, click Settings.

    The Single Authentication Clients Settings window opens.

  3. Change the Display Name to change the way the authentication method is shown in SmartConsole.

  4. Select an Authentication method.

  5. Click Customize to change the description of fields that are shown to users in the login window. See the "Customize Display Settings" section.

  6. To require DynamicID with the selected authentication method, select Enable DynamicID. After you select this, you must configure the DynamicID settings for the Security Gateway from Authentication > DynamicID Settings > Edit.

  7. Define the settings for Capsule Workspace:

    • Select Require client certificate to require Capsule Workspace to always use client certificates.

    • Select Allow DynamicID to require DynamicID in addition to the selected authentication method. After you select this, you must configure the DynamicID settings for the Security Gateway from Authentication > DynamicID Settings > Edit.

  8. Click OK.

  9. Click OK.

  10. Install policy on the Security Gateway.

To configure global DynamicID settings that all Security Gateways use:

  1. For each Security Gateway, in Gateway Properties > Mobile Access > Authentication > DynamicID Settings, select Use Global Settings.

  2. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  3. Configure the global settings in Mobile Access tab > Authentication > Two-Factor Authentication with DynamicID.

  4. Close SmartDashboard

  5. In SmartConsole, install policy on the Security Gateway.

Configuring Multiple Log-in Options

You can configure login options from:

  • Gateway Properties > Mobile Access > Authentication

  • Gateway Properties > VPN Clients > Authentication

  • SmartDashboard > Mobile Access tab > Authentication

The login options selected for Mobile Access clients, such as the Mobile Access portal and Capsule Workspace, show in the Mobile Access > Authentication page in the Multiple Authentication Client Settings table.

The login options selected for VPN clients, such as Endpoint Security VPN, Check Point Mobile for Windows, and SecuRemote, show in the VPN Clients > Authentication page in the Multiple Authentication Client Settings table.

To configure multiple login options for Mobile Access Clients:

  1. From the Gateway Properties tree of a Security Gateway, select Mobile Access > Authentication.

  2. In the Multiple Authentication Clients Settings table, see a list of configured login options.

    The default login options are:

    • Personal_Certificate - Require a user certificate.

    • Username_Password - Require a username and password.

    • Cert_Username_Password - Require a username and password and a user certificate.

  3. Click Add to create a new option or Edit to change an option. Each configured login option is a global object that can be used with multiple Security Gateways and Software Blades.

  4. For each login option select one or more Authentication Factors and relevant Authentication Settings.

    For example, if you select SecurID, select the SecurID Server and Token Card Type. If you select Personal Certificate, select which certificate field the Security Gateway uses to fetch the username. See the "Certificate Parsing" section.

  5. Select Customize Display to configure what users see when they log in with this option. See the "Customize Display Settings" section.

  6. Click OK.

  7. Use the Up and Down arrows to set the order of the login options.

    • If you include Personal Certificates, it must be first.

    • If you include DynamicID, it cannot be first.

  8. On each Login Option > Usage in Gateway, select if the login option is available from:

    • The Mobile Access Portal

    • Capsule Workspace

  9. Click OK.

Selecting a Client for a Login Option

For login options created from the Mobile Access > Authentication page, you can select if the login option is available for the Mobile Access Portal, Capsule Workspace, or both.

The login option will only be visible for the clients that you select.

Customize Display Settings

Enter descriptive values to make sure that users understand what information to input. These fields must all be the same language but they do not need to be in English.

  • Headline - The title of the login option, for example, Log in with a Certificate or Log in with your SecurID Pinpad.

  • Username label - A description of the username that users must enter, for example, Email address or AD username.

  • Password label - A description of the password that users must enter, for example, AD password.

Certificate Parsing

When you select Personal Certificate as a Login option, you can also configure what information the Security Gateway sends to the LDAP server to parse the certificate. The default is the DN. You can configure the settings to use the user's email address or a serial number instead.

To change the certificate parsing:

  1. In the Multiple Authentication Clients Settings table on the Authentication page, select a Personal_Certificate entry and click Edit.

    The Authentication Factor window opens.

  2. In the Authentication Settings area in the Fetch Username from field, select the information that the Security Gateway uses to parse the certificate.

  3. Click OK.

  4. Install policy.

Deleting Login Options

To permanently delete a Login option:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

  2. In SmartDashboard go to the Mobile Access tab > Authentication page.

  3. From the list of login options, select an option and click Delete.

Viewing all Authentication Settings

To see all Security Gateways and their authentication settings:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

  2. In SmartDashboard go to the Mobile Access tab.

  3. From the tree, select Gateways.

  4. Click a Security Gateway to see its authentication settings.

Multi-Factor Authentication with DynamicID

Multi-factor authentication is a system where two or more different methods are used to authenticate users. Using more than one factor delivers a higher level of authentication assurance. DynamicID is one option for multi-factor authentication.

Users who successfully complete the first-phase authentication can be challenged to provide an additional credential: a DynamicID One Time Password (OTP). The OTP is sent to their mobile communications device (such as a mobile phone) via SMS or directly to their email account.

On Security Gateways R80.10 and higher, DynamicID is supported for all Mobile Access and IPsec VPN clients.

How DynamicID Works

When logging in to the Mobile Access portal, users see an additional authentication challenge such as:

Please type the verification code sent to your phone.

Users enter the one time password that is sent to the configured phone number or email address and they are then admitted to the Mobile Access portal.

On the User Portal sign in screen, the I didn't get the verification code link shows. If the user does not receive an SMS or email with the verification code within a short period of time, the user can click that button to receive options for resending the verification code.

Administrators can allow users to select a phone number or email address from a list. Only some of the phone number digits are revealed. Users can then select the correct phone number or email address from the list and click Send to resend the verification code. By default, users can request to resend the message three times before they are locked out of the Portal.

Match Word

The Match Word feature ensures that users can identify the correct DynamicID verification code in situations when they may receive multiple messages. Users are provided with a match word on the Login page that will also appear in the correct message. If users receive multiple SMS messages, they can identify the correct one, as it will contain the same match word.

The SMS Service Provider

In Security Gateways R77.30 and lower, proxy settings for the SMS service provider were configured in Gateway Properties > Mobile Access > HTTP Proxy.

In Security Gateways R80.10 and higher, this is configured in Gateway Properties > Network Management > Proxy.

To access the SMS service provider, configure the proxy settings on the Security Gateway:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The Security Gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Network Management > Proxy.

  3. Define the Proxy settings.

    If no proxy is defined on this page, no proxy is used for the SMS provider.

Whichever provider you work with, in order for the SMS messages to be sent to users, valid account details must be obtained from the provider and be configured in Mobile Access.

DynamicID Authentication Granularity

You can make multi-factor authentication with DynamicID a requirement to log in to the Security Gateway. Alternatively, you can make DynamicID a requirement to access specified applications. This flexibility gives you different security clearance levels.

To make multi-factor authentication with DynamicID a requirement to access specified applications, configure a Protection Level to require multi-factor authentication, and associate the Protection Level with Mobile Access applications (see the "Two-Factor Authentication per Application" section).

In an environment with multiple Mobile Access Security Gateways, make multi-factor authentication a requirement for a specified Security Gateway, configure multi-factor authentication for that Security Gateway.

On Security Gateways R80.10 and higher, DynamicID authentication can be part of a login option that is required for the Mobile Access portal or Capsule Workspace, or both.

Basic DynamicID Configuration for SMS or Email

The workflow for basic configuration of two-factor authentication via DynamicID is:

Advanced Two-Factor Authentication Configuration

To configure settings for a specified Security Gateway:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The Security Gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Mobile Access > Authentication.

  3. From the Two-Factor Authentication with DynamicID section, click Custom settings for this gateway.

  4. Click Configure.

    The Two-Factor Authentication with DynamicID window opens.

To configure global settings for all the Security Gateways:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree, click Authentication.

  3. From the DynamicID Settings section, click Edit.

  4. Click Advanced.

    The Two-Factor Authentication with DynamicID window opens.

DynamicID Message

  • Message text to be sent to the user

    By default, the text of the message is "Mobile Access DynamicID one time password:". The message can contain the template fields shown in the following table to include the user's name and prompt users to use enter a One Time Password.

    For example, the message could say: $NAME, use the verification code $CODE to enter the portal.

    Parameter

    Meaning

    $NAME

    User name used in the first phase of authentication to the portal.

    $CODE

    Replaced with the One Time Password. By default, $CODE is added to the end of the message.

DynamicID Settings

  • Length of one time password is 6 digits by default

  • One time password expiration (in minutes) is 5 minutes by default. Ensure there is a reasonably sufficient time for the message to arrive at the mobile communication device or email account, for the user to retrieve the password, and to type it in.

  • Number of times users can attempt to enter the one time password before the entire authentication process restarts. By default the user has 3 tries.

Display User Details

  • In the portal, display the phone number or email address that received the DynamicID. By default, the phone number to which the SMS message was sent is not shown.

Country Code

  • Default country code for phone numbers that do not include country code. The default country code is added if the phone number stored on the LDAP server or on the local file on the Security Gateway starts with 0.

Phone Number or Email Retrieval

  • Active Directory and Local File

    Try to retrieve the user details from the Active Directory user record. If unsuccessful, retrieve from the local file on the gateway.

    The LDAP account unit is defined in the Users and Authentication > Authentication > LDAP Account Units page of the SmartDashboard Mobile Access tab.

    The phone directory on the local Security Gateway is in $CPDIR/conf/dynamic_id_users_info.lst

    Note - If the directory file does not exist yet, create it.

  • Active Directory Only

    Retrieve phone numbers from Active Directory user record without using the local file on the gateway.

    The LDAP account unit is defined in the Users and Authentication > Authentication > LDAP Account Units page of the SmartDashboard Mobile Access tab.

  • Local File Only

    Retrieve the user details from the local file on the gateway.

    The phone directory on the local Security Gateway is in $CPDIR/conf/dynamic_id_users_info.lst

Configuring Resend Verification and Match Word

The DynamicID troubleshooting and match word features are configured in GuiDBedit Tool (see sk13009) or dbedit (see skI3301).

The GuiDBedit Tool table to edit depends on the Two Factor Authentication with SMS One Time Password (OTP) setting that you configured in SmartDashboard in the Mobile Access Gateway Properties > Authentication.

  • If your DynamicID One Time Password settings are global across all of your Security Gateways (use the global settings configured in the Mobile Access tab is selected), in GuiDBedit Tool select Other > Mobile Access Global Properties.

  • If your DynamicID One Time Password settings are configured for a specific Security Gateway (this Security Gateway has its own two-factor authentication settings is selected), in GuiDBedit Tool select network_objects and then select the specific Security Gateway you want to edit.

This table shows the DynamicID features that can be configured, and where in GuiDBedit Tool to configure them.

Feature

Field Name/s to Edit

Value Options

Match Word

use_message_matching_helper

true: match word provided

false: match word not provided (default)

Resend message

enable_end_user_re_transmit_message

true: enable resend SMS feature (default)

false: disable resend SMS feature

Display multiple

phone numbers

enable_end_user_select_phone_num

true: enable option to choose from multiple phone numbers or email addresses when resending the verification code (default)

false: one phone number or email address from the LDAP server or local file is used automatically without choice

Conceal

displayed phone

numbers

Edit both:

reveal_partial_phone_num

and

number_of_digits_revealed

true: conceal part of the phone number or email address (default)

false: display the full phone number or email address

1-20: Choose the amount of digits to reveal

(default is 4)

After editing the values in GuiDBedit Tool, save the changes, connect to SmartDashboard, and install the policy.

Configuring the Number of Times Messages are Resent

By default, users can request to resend the verification code message three times by clicking the I didn't get the verification code link before they are locked out of the Mobile Access Portal. The number of times the message can be resent is configured using the cvpnd_settings command from the Mobile Access CLI in expert mode.

The instructions below relate to actually resending the verification code message. The number of times users can try to input the verification code is configured in SmartDashboard in the Two Factor Authentication Advanced window.

To change the number of times the verification code message can be resent to 5, run:

cvpnd_settings set smsMaxResendRetries 5

You can replace "5" with any other number to configure a different amount of retries.

After making the changes, run the cvpnrestart command to activate the settings.

If the Mobile Access Security Gateway is part of a cluster, be sure to make the same changes on each cluster member.

Two-Factor Authentication per Security Gateway

To configure two-factor authentication Globally on, with custom settings per Security Gateway:

  1. Set up basic two-factor authentication.

  2. For each Security Gateway, go to Gateway Properties > Mobile Access > Authentication.

  3. Do one of these options:

    • To use the global settings - Select Global settings and the global settings are used from the Authentication to Gateway page of the Mobile Access tab. This is the default.

    • To turn off two-factor authentication for the gateway - Select Custom Settings for this Gateway and click Configure. In the window that opens, do not select the check box. This turns off two-factor authentication for this Security Gateway.

    • To activate two-factor authentication for the gateway with custom settings -Select Custom Settings for this Gateway and click Configure. In the window that opens, select the check box. You must then configure custom SMS Provider Credentials for this Security Gateway. Optionally, configure Advanced options.

  4. Repeat step 2 and step 3 for all other Security Gateways.

  5. Install the policy.

Two-Factor Authentication per Application

To configure two-factor authentication per application:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. Configure basic two-factor authentication (see the "Basic DynamicID Configuration for SMS or Email" section).

    1. Configure the phone directory.

    2. Configure the application settings in Mobile Access tab > Authentication.

    3. Configure the Mobile Access Security Gateways to let the mobile devices use DynamicID.

  3. Configure the Mobile Access Applications.

    1. In the Protection Level window, from the navigation tree click Authentication.

    2. Select User must successfully authenticate via SMS.

    3. Click OK.

  4. Assign the protection level to Mobile Access applications that require Mobile Access Applications.

  5. Click Save and then close SmartDashboard.

  6. In SmartConsole, install the policy.

Changing the SMS Provider Certificates and Protocol

By default, it is recommended to use a secure (https) protocol for communication with the SMS provider. Mobile Access also validates the provider server certificate using a predefined bundle of trusted CAs.

If your SMS provider uses a non-trusted server certificate you can do one of the following:

  • Add the server certificate issuer to the trusted CA bundle under $CVPNDIR/var/ssl/ca-bundle/ and run:

    $CVPNDIR/bin/rehash_ca_bundle

  • Ignore the server certificate validation by editing the $CVPNDIR/conf/cvpnd.C file and replacing the SmsWebClientProcArgs value with ("-k").

If your SMS provider is working with the non-secure HTTP protocol, edit the file $CVPNDIR/conf/cvpnd.C and replace the SmsWebClientProcArgs value with ("").

Multiple Log-in Options for Security Gateways R77.30 and lower

On Security Gateways R77.30 and lower, "Multiple Log-in" options is called "Multiple Realms" and is configured in GuiDBedit Tool (see sk13009) or dbedit (see skI3301). It gives support for multiple authentication realms in the Mobile Access Portal. If you use this feature, we recommend that you upgrade your Security Gateways to this release and configure Multiple Login Options in SmartConsole.

If you upgrade your Management Server and Security Gateways to this release, see sk115856 for information about upgrading the multi-realms configuration.

If you upgrade only your Management Server and do not upgrade the Security Gateways, reconfigure Multiple Realms in GuiDBedit Tool after the upgrade.

How the Security Gateway Searches for Users

If you configure authentication for a blade from the main Security Gateway Legacy Authentication page, the Security Gateway searches for users in a standard way when they try to authenticate.

The Security Gateway searches in this order:

  1. The internal users database.

  2. If the specified user is not defined in this database, the Security Gateway queries the User Directory (LDAP) servers defined in the Account Unit one at a time, and according to their priority.

    If more than one Account Unit exists, the Security Gateway searches in all at the same time. .With multiple servers, the priority for servers can be set only in the scope of one account unit, but not between several account units.

  3. If the information still cannot be found, the Security Gateway uses the external users template to see if there is a match against the generic profile. This generic profile has the default attributes applied to the specified user.

Session Settings

To open the Session window:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree, click Additional Settings > Session.

Simultaneous Logins to the Portal

Having a single user logged in to Mobile Access more than once, from two different locations for example, is a potential security issue.

Simultaneous login prevention enables a Security Gateway to automatically disconnect a remote user who is logged more than once.

When simultaneous login prevention is enabled, and a user's authentication information used to log in from two different computers, only the later login is considered legitimate, and the earlier session is logged out.

Configuring Simultaneous Login Prevention

Simultaneous login prevention is configured in SmartDashboard from the Mobile Access tab by selecting Additional Settings > Session.

The options are:

  • User is allowed several simultaneous logins to the Portal

    Simultaneous login detection is disabled. This is the default option.

  • User is allowed only a single login to the portal

    Inform user before disconnecting his previous session (option is not selected)

    The earlier user is disconnected and the later user is allowed. The earlier user is logged out. For Mobile Access portal users, the following message appears:

    "Your Mobile Access session has timed out. would you like to sign in again now?". The later user is not informed that an earlier user is logged in.

  • User is allowed only a single login to the portal (option selected)

    Inform user before disconnecting his previous session(option selected)

    The later user is informed that an earlier user is logged in, and is given the choice of canceling the login and retaining the existing session, or logging in and terminating the existing session. If the existing session is terminated, the user is logged out with the message:

    "Your Mobile Access session has timed out. would you like to sign in again now?".

Tracking of Simultaneous Logins

To track simultaneous login events, select All Events in the Tracking section of the Additional Settings > Session page.

When the Security Gateway disconnects a user, the Security Gateway records a log of the disconnection, containing the connection information of both logins.

All disconnect and connect events create a corresponding entry in the traffic log. The following values of the authentication status field relate to simultaneous logins:

  • Success - User successfully logged in. Existing active sessions were terminated.

  • Inactive - User successfully authenticated, but existing sessions need to be terminated prior to logging on.

  • Disconnected - An existing user session has been terminated because the same user has logged on to another session.

Simultaneous Login Issues

These issues may arise in connection with simultaneous login:

Endpoint Connect - Simultaneous Login Issues

For Endpoint Connect users, Mobile Access does not prevent simultaneous login. This is equivalent to the User can have several simultaneous logins to the portal option. An Endpoint Connect user cannot log out another user with the same user name, and cannot be logged out by another user with the same user name.

SecureClient Mobile - Simultaneous Login Issues

With User can have only a single simultaneous login to the portal selected and Inform user before disconnecting previous sessions not selected SecureClient Mobile users can be logged off by another user, and can log off other users.

However, the Inform user before disconnecting his previous session option does not work, because no message can be sent to those users. User can be logged off, but cannot log off other users.

Other Simultaneous Login Issues
  1. When a session is disconnected by another user and SSL Network Extender application mode client is being used, the SSL Network Extender window remains open, while the session is disconnected. Similarly, when a session is disconnected by another user and Secure Workspace is being used, Secure Workspace remains open, while the session is disconnected.

  2. When a session is disconnected by another user and Citrix is being used, the Citrix window remains open, while the session is disconnected.

  3. All current sessions are deleted when changing the section from User can have only a single login to the Portal to User is allowed several simultaneous logins to the Portal.

Session Timeouts

Once authenticated, remote users work in a Mobile Access session until they log out or the session terminates. Security best practices provide for limiting the length of active and inactive Mobile Access sessions to prevent abuse of secure remote resources.

Note - Mobile Access uses the system time to keep track of session timeouts. Changing the system time may disrupt existing session timeouts. Therefore, it is recommended to change the system time during low activity hours.

Mobile Access provides two types of session timeouts, both of which are configured in SmartDashboard from the Mobile Access tab by selecting Additional Settings > Session.

  • Re-authenticate users every is the maximum session time. When this period is reached, the user must log in again. The default value is 60 minutes. Changing this timeout affects only future sessions, not current sessions.

  • Disconnect idle sessions after is the disconnection time-out if the connection remains idle. The default value is 15 minutes. When users connect via SSL Network Extender, this timeout does not apply.

For Capsule Clients:

  1. Go to SmartDashboard > Mobile Access tab > Capsule Workspace Settings > Mobile Profiles.

  2. Create or edit the applicable profile.

  3. In the Access Settings section, configure the applicable value in the Session timeout field.

Roaming

The Roaming option allows users to change their IP addresses during an active session.

Note - SSL Network Extender users can always change IP address while connected, regardless of the Roaming setting.

Tracking

Configure Mobile Access to log session activity, including login attempts, logouts, timeouts, activity states and license expiration warnings.

Securing Authentication Credentials

Having multiple users on the same machine accessing the Mobile Access portal can be a security hazard. A user logged in to the Mobile Access portal can open a new browser window and get the access of the earlier session. Then the user can browse directly to the Mobile Access portal without entering the login credentials again.

To make sure authentication credentials are not stolen by others, recommend to users that they log off or close all browser windows when done using a browser.

Mobile Access Authentication Use Cases

Use Case: Two-Factor Authentication with Certificates in Security Gateways R77.30 and lower

Select a main authentication method for Security Gateways R77.30 and lower. If you also select Require client certificate when using Mobile applications on the Authentication page, you require two-factor authentication for Capsule Workspace users: the main authentication method, and certificate.

With these settings, users authenticate to the Mobile Access portal with only the main authentication method.

Capsule Workspace users receive the certificate information and register only one time. They provide the main authentication method credentials one time per session. Users might also need to enter a passcode, based on settings in the Capsule Workspace Settings in the Mobile Access tab.

To configure two-factor authentication with certificates for mobile devices on Security Gateways R77.30 and lower

  1. Open the Security Gateway object.

  2. Select Mobile Access > Authentication.

  3. Select a main authentication method from these options:

    • Username and Password

    • RADIUS

    • SecurID

  4. Select Require client certificate when using Mobile applications or Require client certificate when using ActiveSync applications.

  5. Click OK.

  6. Install policy.

To configure two-factor authentication with the Mobile Access portal in Security Gateways R77.30 and lower, see sk86240.

Use Case: Two Factor Authentication with Certificates on Security Gateways R80.10 and higher

You can configure two factor authentication with certificate on a Security Gateway R80.10 and higher in these ways:

  • Create a new Login Option with Personal Certificate as the first factor and one or more additional methods that you choose as additional factors.

  • Use the default Login Option, Cert_Username_Password, which includes a personal certificate as the first factor, and username and password as the second factor.

To create a new multi-factor login option that includes certificates:

  1. Open the Security Gateway object.

  2. Select Mobile Access > Authentication.

  3. In the Multiple Authentication Clients Settings table, click Add to create a new option.

  4. Click New.

  5. In the Multiple Login Options window, enter the Login Option's Name and Display Name.

    The Display Name represents this Login Option to the user upon login and can be a descriptive name.

  6. Under Authentication Methods, click Add to add the first factor.

    1. In the Authentication Factor window, select Personal Certificate. Note that Personal Certificate must be the first authentication factor.

    2. Configure the Authentication settings.

    3. Click OK.

  7. Under Authentication Methods, click Add to add the second factor.

    1. In the Authentication Factor window, select RADIUS, SecurID, DynamicID or Username and Password.

    2. Configure the Authentication settings, if necessary.

    3. Click OK.

  8. To apply this Login Option only to the Mobile Access portal or only to Capsule Workspace on mobile devices, under Usage in Gateway, select one or both client types.

  9. Click OK.

  10. Install policy.

To use the built-in default Login Option Cert_Username_Password:

  1. Open the Security Gateway object.

  2. Select Mobile Access > Authentication.

  3. In the Multiple Authentication Clients Settings table, click Add.

  4. Select Cert_Username_Password from the list.

  5. To apply this Login Option only to the Mobile Access portal or only to Capsule Workspace on mobile devices:

    1. In the Multiple Authentication Clients Settings table, select Cert_Username_Password and click Edit.

    2. Under Usage in Gateway, select one or both client types.

  6. Click OK.

  7. Install policy.

Note - The Login Options configured in the Multiple Authentication Clients Settings list are only available to clients that support multiple login options. To see which clients support the new multiple login options, see sk111583.

Use Case: Users Selecting a Login Option on Security Gateways R80.10 and higher

When more than one Login Option is configured, and users connect with clients that support Multiple Login Options, users select a Login Option to use when they log in.

In the Mobile Access portal, in the login page, users see a drop-down list with all available login options, shown by their Display Name.

In the Capsule Workspace mobile application, users select the Login Option on the first connection to the Security Gateway. On subsequent connections, the same login option is shown automatically.