Two Factor Authentication

Check Point Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication. authenticates users easily with a web interface. When users try to get an access to a protected resource, they are prompted to enter authentication credentials in a browser.

Captive Portal Two Factor Authentication adds support for an additional challenge-response authentication from the user through the RADIUS protocol.

Follow all the procedures below to configure Captive Portal Two Factor Authentication.

1. Configure a RADIUS server object in SmartConsole

   1. In the top left corner, click Objects > Object Explorer.

      The Object Explorer window opens.

   2. In the left navigation tree, click Servers.

   3. From the toolbar, click New > More > User/Identity > RADIUS.

   4. Enter a name for your designated RADIUS server.

   5. In the Host field, add the appropriate host object with your RADIUS server IP address.

      If the host is not yet defined, click the star icon > Host, and enter the host Name and IP Address.

   6. In the Version field, select the appropriate RADIUS version.

   7. In the Protocol field, select the appropriate authentication protocol.

   8. Click OK.

   9. Close the Object Explorer window.

   10. Install the Access Control Policy.

2. Configure Captive Portal in SmartConsole

   1. From the left Navigation Toolbar, click Gateways & Servers.

   2. Double-click the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

   3. On the General Properties pane, select the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities..

      Identity Awareness Configuration Wizard opens.

   4. On the Methods For Acquiring Identity wizard screen, select the Browser-Based Authentication Authentication of users in Check Point Identity Awareness web portal - Captive Portal, to which users connect with their web browser to log in and authenticate..

   5. Click Next.

   6. On the Integration With Active Directory wizard screen, select I do not wish to configure an Active Directory at this time.

   7. Click Next.

   8. On the Browser-Based Authentication Settings wizard screen, configure the accessibility settings.

   9. Click Next.

   10. Click Finish to close the Identity Awareness Configuration Wizard.

   11. In the left navigation tree, click Identity Awareness.

   12. Next to the Browser-Based Authentication check box, click Settings.

   13. In the Authentication Settings section, click Edit.

   14. In the Authentication Method section, select RADIUS and then select the RADIUS server object you created earlier.

   15. In the User Directories section, select the LDAP users option, if user groups are fetched directly from an LDAP server.

       If not, clear this option.

   16. Click OK to close the Security Gateway object properties.

   17. Install the Access Control Policy.

3. Configure a generic user profile in the Legacy SmartDashboard

   1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Manage & Settings > Blades.

   2. In the Mobile Access section, click Configure in SmartDashboard.

      Legacy SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. opens.

   3. In the bottom left pane, click Users.

      

   4. In the bottom left pane, right click on an empty space below the last folder in the pane and select New > External User Profile > Match all users.

   5. Configure the External User Profile properties:

      1. On the General Properties page:

         In the External User Profile name field, leave the default name generic*.

         In the Expiration Date field, set the applicable date.

      2. On the Authentication page:

         From the Authentication Scheme drop-down list, select and configure the applicable option.

      3. On the Location, Time, and Encryption pages, configure other applicable settings.

      4. Click OK.

   6. From the top toolbar, click Update (or press Ctrl + S).

   7. Close SmartDashboard.

   8. In SmartConsole, install the Access Control Policy.

4. Configure Access Roles that are based on LDAP users and groups

   1. Make sure you have an LDAP Account Unit object for the LDAP server:

      1. In SmartConsole, in the top left corner, go to Objects > Object Explorer.

         Object Explorer window opens.

      2. In the left navigation tree, click Servers.

      If not, from the toolbar, click New > More > User/Identity > LDAP Account Unit, and configure the object.

   2. Configure Access Roles based on LDAP users and LDAP groups.

   3. Install the Access Control Policy.

5. Configure Access Roles that are based on RADIUS groups

   1. Configure the Global Properties:

      1. In SmartConsole, go to Menu > Global properties.

         The Global Properties window opens.

      2. In the left navigation tree, click Advanced > Configure.

         The Advanced Configuration window opens.

      3. In the left navigation tree, click SecuRemote/SecureClient.

      4. Select add_radius_groups.

      5. Click OK to close the Advanced Configuration window.

      6. Click OK to close the Global Properties window.

   2. Configure the internal user groups:

      1. In the top left corner, click Objects > Object Explorer.

         Object Explorer window opens.

      2. In the left navigation tree, click Users.

      3. From the toolbar, click New > User > User Group.

      4. For each RADIUS group <grp> on your RADIUS server, create an internal user group named RAD_<grp> (case-sensitive).

         For example, for RADIUS group MyGroup, create an internal user group named RAD_MyGroup.

      5. Close the Object Explorer window.

   3. Configure Access Roles with the internal user groups you created in the previous step.

   4. Install the Access Control Policy.