User Authentication in Mobile Access
User Authentication to the Mobile Access Portal
To enter the Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Portal and get access to its applications, users defined in SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. must authenticate to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. Authentication ensures that a user is who he or she claims to be. Users authenticate using one or more of these authentication schemes:
-
Username and password - Users enter a user name and password.
-
Client Certificates - Digital Certificates are issued by the Internal Certificate Authority or by a third party OPSEC certified Certificate Authority.
-
RADIUS Server - Remote Authentication Dial-In User Service (RADIUS) is an external authentication scheme. The Security Gateway forwards authentication requests by remote users to the RADIUS server. The RADIUS server, which stores user account information, authenticates the users. The RADIUS protocol uses UDP for communications with the Security Gateway. RADIUS Servers and RADIUS Server Group objects are defined in SmartDashboard.
For more about configuring a Security Gateway to use a RADIUS server, see the R81 Security Management Administration Guide.
-
SecurID - SecurID is a proprietary authentication method of RSA Security. An external SecurID server manages access by changing passwords every few seconds. Each user carries a SecurID token, a piece of hardware or software that is synchronized with the central server and displays the current password. The Security Gateway forwards authentication requests by remote users to the RSA Authentication Manager.
For more about configuring a Security Gateway to use SecurID, see the R81 Security Management Administration Guide.
-
DynamicID One Time Password - DynamicID One Time Password can be required as a secondary or later authentication method (not the first). When this is configured, users who successfully complete the first-phase or phases of authentication are challenged to enter an additional credential: a DynamicID One Time Password (OTP). The OTP is sent by email or text message to a mobile phone, or other mobile communication device.
-
Defined on user record (Legacy Authentication) - The authentication method for each user is defined on the user record. For internal users, it is in the Authentication page of the User Properties. For LDAP users, it is on the user record in LDAP.
A user who tries to authenticate with an authentication scheme that is not configured for the Mobile Access Security Gateway will not be allowed to access resources through the Security Gateway.
|
Note - Legacy Mobile Access Policy (configured in SmartDashboard) does not support users configured on an LDAPS server. |
Image-Based RADIUS Authentication
Use Image-based RADIUS as a secondary authentication factor to authenticate to the Mobile Access Portal. It allows Mobile Access to integrate with third-party authentication services.
The images in this authentication factor are patterns of random numbers in a grid. During authentication, the user selects the numbers in the positions that correspond to a pre-selected pattern.
Configuring Image-Based RADIUS
To use image-based RADIUS as an authentication factor in Mobile Access, you have to configure RADIUS authentication with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..
To configure Mobile Access authentication factors in SmartConsole:
-
In SmartConsole, from the Gateways & Servers tab, double-click the Security Gateway.
The Check Point Security Gateway window shows.
-
From the menu, click Mobile Access > Authentication.
-
In the Multiple Authentication Client Settings table, add a new login option.
-
Click Add > New.
The Multiple Login Options window shows.
-
In the Authentication Methods table, click Add to create Authentication Factors.
-
When the Authentication Factor window opens, click RADIUS.
-
Under Customize Display, add an appropriate description to the Headline.
Note - When you return to the Authentication Methods table, make sure RADIUS authentication is not the first factor.
-
Enabling Image-Based RADIUS on Security Gateways
To enable Image-based RADIUS, edit the configuration file, $CVPNDIR/conf/cvpnd.C
on each Mobile Access Security Gateway that uses Image-based RADIUS as an authentication factor.
Important - After every change to cvpnd.C
, you must restart the cvpn services: cvpnrestart
|
Fields |
Description |
Example |
---|---|---|
|
Enter true to enable. Enter false to disable. If set to true, the Security Gateway treats every RADIUS authentication factor found in |
|
|
List that has authentication realm names that are configured in SmartConsole, that contain Image-based RADIUS authentication as a secondary factor. If empty, all the authentication realms with RADIUS as a secondary authentication factor, are treated as an Image-based RADIUS authentication factor. |
|
|
The URL from the third-party authentication service to get the user grid. Use |
|
Enabling authentication of Remote Access VPN Clients on a RADIUS server over Microsoft Challenge-Handshake Authentication Protocol (MS-CHAPv2) with UPN
To enable authentication of Remote Access VPN Clients on a RADIUS server over Microsoft Challenge-Handshake Authentication Protocol (MS-CHAPv2) with UPN (<username
>@<domain
>):
|
Note -This feature is available starting from R81 Jumbo Hotfix Accumulator Take 77. |
-
Connect to the command line on the Security Gateway / each Cluster Member Security Gateway that is part of a cluster..
-
Log in to the Expert mode.
-
Get the current value:
ckp_regedit -p SOFTWARE/Checkpoint/VPN1 | grep --color RADIUS_MSCHAPV2_UPN
-
To enable this feature:
ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1
This command applies immediately and does not require a restart.
To disable this feature:
ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 0
Google reCAPTCHA Challenge
The reCAPTCHA service uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities. It prevents malicious logins and at the same time allows authenticated users to pass through easily.
Configure your Security Gateway with Google reCAPTCHA v2 to challenge a user upon multiple, incorrect login attempts. reCAPTCHA appears as a challenge when a user reaches the maximum number of failed attempts.
The reCAPTCHA challenge is compatible with ClusterXL and VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts..
The reCAPTCHA challenge is not supported in the Capsule Workspace.
For supported browsers, see the Google documentation.
Registering Mobile Access for reCAPTCHA on Google
To use Mobile Access with reCAPTCHA, you have to register the Mobile Access Portal FQDN with reCAPTCHA.
Go to the Google reCAPTCHA site for instructions.
Adding reCAPTCHA to the Mobile Access Portal
You have to configure the Security Gateway manually to add reCAPTCHA. To enable reCAPTCHA, the Security Gateway needs:
-
Internet connectivity
-
A DNS configured
-
Portal URL configuration with an FQDN and not an IP addres
If you browse to the Portal with an IP address rather than an FQDN, you are redirected to the FQDN link.
Note - In a cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. environment, each Security Gateway has to be configured identically.
To configure the Security Gateway manually, edit the $CVPNDIR/conf/cvpnd.C
file.
Important - After every change in the cvpnd.C
file, you must restart the CVPN services with the cvpnrestart
command.
This shows:
|
Fields |
Description |
---|---|
|
Enter true to enable. Enter false to disable. |
|
Determines if reCAPTCHA shows on a re-login flow. Enter true to enable. Enter false to disable. |
|
Entrance to the Portal. Enter true to enable. Enter false to disable. This determines when to block users:
False - User is not allowed access to the Portal. See the login log for more information. True - User is allowed access to the Portal. A warning that the reCAPTCHA challenge was not verified shows. See the login log for more information. |
|
The amount of time in seconds that the user in penalty is challenged with reCAPTCHA on each login until the user succeeds to log in. The default is 1800 seconds. |
|
This is the number of times a user tries to log in unsuccessfully before reCAPTCHA shows. The default is two failed login attempts within the pre-determined time frame. Failures within that time frame are counted. If the time frame passes, the failure counter is set to zero again. If the field is set to zero, there is a reCAPTCHA challenge on every login attempt. |
|
The site key from Google. |
|
The secret from Google. |
|
A utility page that checks the reCAPTCHA configuration and the connectivity from the Security Gateway. Enter true to enable the page. Enter false to disable the page. To see this page, go to: |
|
Best Practice - If you enable and configure reCAPTCHA, make sure the Capsule Workspace uses certificate authentication. reCAPTCHA is not supported in the Capsule Workspace. |
When you are challenged with reCAPTCHA, some Java scripts are downloaded to your browser.
Configuring Multiple Log-in Options for Security Gateways using Database Tool (GuiDBEdit Tool)
On a Security Gateway, you can configure multiple login options for Mobile Access and IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access..
The options can be different for each Security Gateway and each supported Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities., and for some client types. Users select one of the available options to log in with a supported client.
To see which clients support the new multiple login options, see sk111583.
Each configured login option is a global object that can be used with multiple Security Gateways and the Mobile Access and IPsec VPN Software Blades.
Compatibility with Older Clients
If you upgrade all or most clients to versions that support multiple login options, you can block older clients from connecting. After you do this, only clients that support multiple login options can connect to the Security Gateway.
By default, Allow older clients to connect to this gateway is selected in Mobile Access > Authentication. If you clear the option, older clients are blocked.
You can choose if newer clients that support multiple login options can connect with the authentication settings defined for older clients.
Configuring the Authentication Method for Newer Clients
To block newer clients from using the authentication method defined for older clients:
-
In the Gateway Properties, select Mobile Access > Authentication or VPN Clients > Authentication.
-
In the Compatibility with Older Clients section, click Settings.
The Single Authentication Clients Settings window opens.
-
Clear Allow newer clients that support Multiple Login Options to use this authentication method.
-
Click OK.
-
Install policy.
To let newer clients connect to the Security Gateway with the authentication settings defined for older clients:
Select Allow newer clients that support Multiple Login options to use this authentication method.
Configuring Authentication Settings for Older Clients
To let older clients connect to the Security Gateway:
-
In the Gateway Properties, select Mobile Access > Authentication or VPN Clients > Authentication.
-
Select Allow older clients to connect to this gateway.
If this is not selected, older clients cannot connect to the Security Gateway.
To change the authentication method for older clients:
-
In the Gateway Properties, select Mobile Access > Authentication or VPN Clients > Authentication.
-
In the Compatibility with Older Clients section, click Settings.
The Single Authentication Clients Settings window opens.
-
Change the Display Name to change the way the authentication method is shown in SmartConsole.
-
Select an Authentication method.
-
Click Customize to change the description of fields that are shown to users in the login window. See the "Customize Display Settings" section.
-
To require DynamicID with the selected authentication method, select Enable DynamicID. After you select this, you must configure the DynamicID settings for the Security Gateway from Authentication > DynamicID Settings > Edit.
-
Define the settings for Capsule Workspace:
-
Select Require client certificate to require Capsule Workspace to always use client certificates.
-
Select Allow DynamicID to require DynamicID in addition to the selected authentication method. After you select this, you must configure the DynamicID settings for the Security Gateway from Authentication > DynamicID Settings > Edit.
-
-
Click OK.
-
Click OK.
-
Install policy on the Security Gateway.
To configure global DynamicID settings that all Security Gateways use:
-
For each Security Gateway, in Gateway Properties > Mobile Access > Authentication > DynamicID Settings, select Use Global Settings.
-
In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.
SmartDashboard opens and shows the Mobile Access tab.
-
Configure the global settings in Mobile Access tab > Authentication > Two-Factor Authentication with DynamicID.
-
Close SmartDashboard
-
In SmartConsole, install policy on the Security Gateway.
Configuring Multiple Log-in Options
You can configure login options from:
-
Gateway Properties > Mobile Access > Authentication
-
Gateway Properties > VPN Clients > Authentication
-
SmartDashboard > Mobile Access tab > Authentication
The login options selected for Mobile Access clients, such as the Mobile Access Portal and Capsule Workspace, show in the Mobile Access > Authentication page in the Multiple Authentication Client Settings table.
The login options selected for VPN clients, such as Endpoint Security VPN, Check Point Mobile for Windows, and SecuRemote, show in the VPN Clients > Authentication page in the Multiple Authentication Client Settings table.
To configure multiple login options for Mobile Access Clients:
-
From the Gateway Properties tree of a Security Gateway, select Mobile Access > Authentication.
-
In the Multiple Authentication Clients Settings table, see a list of configured login options.
The default login options are:
-
Personal_Certificate - Require a user certificate.
-
Username_Password - Require a username and password.
Important - As a best security practice, Check Point recommends to configure another authentication method in addition to username and password. In the next step, click Edit and configure at least one additional authentication method.
-
Cert_Username_Password - Require a username and password and a user certificate.
-
-
Click Add to create a new option or Edit to change an option. Each configured login option is a global object that can be used with multiple Security Gateways and Software Blades.
-
For each login option select one or more Authentication Factors and relevant Authentication Settings.
For example, if you select SecurID, select the SecurID Server and Token Card Type. If you select Personal Certificate, select which certificate field the Security Gateway uses to fetch the username. See the "Certificate Parsing" section.
-
Select Customize Display to configure what users see when they log in with this option. See the "Customize Display Settings" section.
-
Click OK.
-
Use the Up and Down arrows to set the order of the login options.
-
If you include Personal Certificates, it must be first.
-
If you include DynamicID, it cannot be first.
-
-
On each Login Option > Usage in Gateway, select if the login option is available from:
-
The Mobile Access Portal
-
Capsule Workspace
-
-
Click OK.
Selecting a Client for a Login Option
For login options created from the Mobile Access > Authentication page, you can select if the login option is available for the Mobile Access Portal, Capsule Workspace, or both.
The login option will only be visible for the clients that you select.
Customize Display Settings
Enter descriptive values to make sure that users understand what information to input. These fields must all be the same language but they do not need to be in English.
-
Headline - The title of the login option, for example, Log in with a Certificate or Log in with your SecurID Pinpad.
-
Username label - A description of the username that users must enter, for example, Email address or AD username.
-
Password label - A description of the password that users must enter, for example, AD password.
Certificate Parsing
When you select Personal Certificate as a Login option, you can also configure what information the Security Gateway sends to the LDAP server to parse the certificate. The default is the DN. You can configure the settings to use the user's email address or a serial number instead.
To change the certificate parsing:
-
In the Multiple Authentication Clients Settings table on the Authentication page, select a Personal_Certificate entry and click Edit.
The Authentication Factor window opens.
-
In the Authentication Settings area in the Fetch Username from field, select the information that the Security Gateway uses to parse the certificate.
-
Click OK.
-
Install policy.
Deleting Login Options
To permanently delete a Login option:
-
In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.
-
In SmartDashboard go to the Mobile Access tab > Authentication page.
-
From the list of login options, select an option and click Delete.
Viewing all Authentication Settings
To see all Security Gateways and their authentication settings:
-
In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.
-
In SmartDashboard go to the Mobile Access tab.
-
From the tree, select Gateways.
-
Click a Security Gateway to see its authentication settings.
Multi-Factor Authentication with DynamicID
Multi-factor authentication is a system where two or more different methods are used to authenticate users. Using more than one factor delivers a higher level of authentication assurance. DynamicID is one option for multi-factor authentication.
Users who successfully complete the first-phase authentication can be challenged to provide an additional credential: a DynamicID One Time Password (OTP). The OTP is sent to their mobile communications device (such as a mobile phone) via SMS or directly to their email account.
DynamicID is supported for all Mobile Access and IPsec VPN clients.
How DynamicID Works
When logging in to the Mobile Access Portal, users see an additional authentication challenge such as:
Please type the verification code sent to your phone.
Users enter the one time password that is sent to the configured phone number or email address and they are then admitted to the Mobile Access Portal.
On the User Portal sign in screen, the I didn't get the verification code link shows. If the user does not receive an SMS or email with the verification code within a short period of time, the user can click that button to receive options for resending the verification code.
Administrators can allow users to select a phone number or email address from a list. Only some of the phone number digits are revealed. Users can then select the correct phone number or email address from the list and click Send to resend the verification code. By default, users can request to resend the message three times before they are locked out of the Portal.
Match Word
The Match Word feature ensures that users can identify the correct DynamicID verification code in situations when they may receive multiple messages. Users are provided with a match word on the Login page that will also appear in the correct message. If users receive multiple SMS messages, they can identify the correct one, as it will contain the same match word.
The SMS Service Provider
This is configured in Gateway Properties > Network Management > Proxy.
To access the SMS service provider, configure the proxy settings on the Security Gateway:
-
In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
The Security Gateway window opens and shows the General Properties page.
-
From the navigation tree, click Network Management > Proxy.
-
Define the Proxy settings.
If no proxy is defined on this page, no proxy is used for the SMS provider.
Whichever provider you work with, in order for the SMS messages to be sent to users, valid account details must be obtained from the provider and be configured in Mobile Access.
DynamicID Authentication Granularity
You can make multi-factor authentication with DynamicID a requirement to log in to the Security Gateway. Alternatively, you can make DynamicID a requirement to access specified applications. This flexibility gives you different security clearance levels.
To make multi-factor authentication with DynamicID a requirement to access specified applications, configure a Protection Level to require multi-factor authentication, and associate the Protection Level with Mobile Access applications (see the "Two-Factor Authentication per Application" section).
In an environment with multiple Mobile Access Security Gateways, make multi-factor authentication a requirement for a specified Security Gateway, configure multi-factor authentication for that Security Gateway.
DynamicID authentication can be part of a login option that is required for the Mobile Access Portal or Capsule Workspace, or both.
Basic DynamicID Configuration for SMS or Email
The workflow for basic configuration of two-factor authentication via DynamicID is:
-
Obtain the SMS provider credentials and/or email settings.
Get these required SMS service provider settings from your SMS provider.
-
A URL in the format specified by the SMS provider or a valid email address.
-
Account credentials:
-
User name
-
Password
-
API ID (optional and may be left empty)
Note - If DynamicID is configured to work with email only, an SMS Service Provider is not necessary.
-
-
-
Configure the Phone Directory
The default phone number and email search method is that the Security Gateway searches for phone numbers or email addresses in user records on the LDAP account unit, and then in the phone directory on the local Security Gateway. If the phone number configured is actually an email address, an email will be sent instead of an SMS message. The phone number and email search method can be changed in the Phone Number or Email Retrieval section of the Two-Factor Authentication with DynamicID - Advanced window.
Configuring Phone Numbers or Email Addresses in LDAPIf users authenticate via LDAP, configure the list of phone numbers on LDAP by defining a phone number or email address for each user. By default, Mobile Access uses the Mobile field in the Telephones tab. If the phone number configured is actually an email address, an email will be sent instead of an SMS message.
Configuring Phone Numbers or Email Addresses on Each Security GatewayConfigure the list of phone numbers or email addresses on each Mobile Access Security Gateway. For a Mobile Access cluster, configure the directory on each cluster member.
To configure a list of phone numbers on a Security Gateway:
-
Connect to the command line on the Mobile Access Security Gateway using a secure console connection.
-
Log in to the Expert mode.
-
Back up the
$CPDIR/conf/dynamic_id_users_info.lst
file.Note - If this file does not yet exist, create it.
-
Edit the
$CPDIR/conf/dynamic_id_users_info.lst
file. -
Add a list of user names and phone numbers, and/or email addresses.
The list must be followed by a blank line. Use this syntax:
<Username or Full DN> <Phone number or Email address>
Parameter
Meaning
<Username>
or
<Full DN>
Either a user name or, for users that log in using a certificate, the full DN of the certificate.
<Phone number>
All printable characters can be used in the phone number, excluding the space character, which is not allowed. Only the digits are relevant.
<Email address>
A valid email address in the format user@domain.com
Example of acceptable ways to enter users and their phone numbers or email addresses in
$CPDIR/conf/dynamic_id_users_info.lst
bob +044-888-8888
jane.tom@domain.com
CN=tom,OU=users,O=example.com +044-7777777
CN=mary,OU=users,O=example.com +mary@domain.com
Configuring Multiple Phone NumbersYou can let users choose from multiple phone numbers when resending the verification code.
To configure choice of numbers:
Edit the configuration file
$CPDIR/conf/dynamic_id_users_info.lst
on the Security Gateway.-
Enter one number in the LDAP directory in the Mobile field and one or more phone numbers in configuration file.
-
Enter multiple phone numbers separated by white space in the configuration file.
For example:
user_a 917-555-5555 603-444-4444
Note - If the configuration file
$CPDIR/conf/dynamic_id_users_info.lst
does not yet exist, create it. -
-
Perform basic configuration of DynamicID in SmartDashboard
Configure the Authentication settings to make two-factor authentication necessary for all mobile devices.
This table explains parameters used in the SMS Provider and Email Settings field. The value of these parameters is automatically used when sending the SMS or email.
Parameter
Meaning
$APIID
The value of this parameter is the API ID.
$USERNAME
The value of this parameter is the username for the SMS provider.
$PASSWORD
The value of this parameter is the password for the SMS provider.
$PHONE
User phone number, as found in Active Directory or in the local file on the Security Gateway, including digits only and without a + sign.
$EMAIL
The email address of the user as found in Active Directory or in the local file on the Security Gateway -
$CPDIR/conf/dynamic_id_users_info.lst
.If the email address should be different than the listed one, it can be written explicitly. if the file does not exist, create it.
$MESSAGE
The value of this parameter is the message configured in the Advanced Two-Factor Authentication Configuration Options in SmartDashboard.
$RAWMESSAGE
The text from
$Message
, but without HTTP encoding.Configuring DynamicID settings in SmartDashboard for all Security Gateways-
In SmartConsole, select Security Policies > Shared Policies > Mobile Access.
Click Open Mobile Access Policy in SmartDashboard.
SmartDashboard opens and shows the Mobile Access tab.
-
From the navigation tree, click Authentication.
-
From the Dynamic ID Settings section, click Edit.
-
Select Challenge users to provide the DynamicID one time password.
-
Fill in the SMS Provider and Email Settings field using one of these formats:
-
To let the DynamicID code to be delivered by SMS only, use the following syntax:
-
To let the DynamicID code to be delivered by email only, without an SMS service provider, use the following syntax:
-
For SMTP protocol:
mail:TO=$EMAIL;SMTPSERVER=smtp.example.com;FROM=sslvpn@example.com;BODY=$RAWMESSAGE
-
For SMTPS protocol on port 465:
mail:TO=$EMAIL;SMTPSERVER=smtps://username:password@smtp.example.com;FROM=sslvpn@example.com;BODY=$RAWMESSAGE
-
For SMTP protocol with START_TLS:
mail:TO=$EMAIL;SSL_REQUIRED;SMTPSERVER=smtp://username:password@smtp.example.com;FROM=sslvpn@example.com;BODY=$RAWMESSAGE
-
For SMTP protocol on port 587 with START_TLS:
mail:TO=$EMAIL;SSL_REQUIRED;SMTPSERVER=smtp://username:password@smtp.example.com:587;FROM=sslvpn@example.com;BODY=$RAWMESSAGE
-
-
To let the DynamicID code to be delivered by SMS or email, use the following syntax:
sms:https://api.example.com/sendsms.php?username=$USERNAME&password=$PASSWORD&phone=$PHONE&smstext=$MESSAGE mail:TO=$EMAIL;SMTPSERVER=smtp.example.com;FROM=sslvpn@example.com;BODY=$RAWMESSAGE
https://api.example.com/http/sendmsg?api_id=$APIID&user=$USERNAME&password=$PASSWORD&to=$PHONE&text=$MESSAGE
Note - If the SMTP username and password contain special characters, use these:
!
#
$
%
&
'
(
%21
%23
%24
%25
%26
%27
%28
)
*
+
,
/
:
;
%29
%2A
%2B
%2C
%2F
%3A
%3B
=
?
@
[
]
%3D
%3F
%40
%5B
%5D
-
-
In the SMS Provider Account Credentials section, enter the credentials received from the SMS provider:
-
Username
-
Password
-
API ID (optional)
-
-
For additional configuration options, click Advanced.
-
Click OK.
-
Click Save and then close SmartDashboard.
-
In SmartConsole, install policy.
Configuring the Mobile Access Security Gateway to let computers and devices use DynamicID-
In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
The Security Gateway window opens and shows the General Properties page.
-
From the navigation tree, click Mobile Access > Authentication.
-
In the Two-Factor Authentication section, configure these settings:
-
For a Security Gateway that uses the global authentication settings, select Global settings.
-
For a Security Gateway that uses different authentication settings, select Custom settings.
-
For mobile devices, select Allow DynamicID for mobile devices.
-
-
Click OK.
-
Install the policy.
-
-
Test DynamicID Two-Factor Authentication
-
Browse to the URL of the Mobile Access Portal.
-
Log in as a user.
-
Supply the Security Gateway authentication credentials.
-
Wait to receive the DynamicID code on your mobile communication device or check your email.
-
Enter the DynamicID code in the portal.
Make sure that you are logged in to the Mobile Access Portal.
-
Advanced Two-Factor Authentication Configuration
To configure settings for a specified Security Gateway:
-
In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
The Security Gateway window opens and shows the General Properties page.
-
From the navigation tree, click Mobile Access > Authentication.
-
From the Two-Factor Authentication with DynamicID section, click Custom settings for this gateway.
-
Click Configure.
The Two-Factor Authentication with DynamicID window opens.
To configure global settings for all the Security Gateways:
-
In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.
SmartDashboard opens and shows the Mobile Access tab.
-
From the navigation tree, click Authentication.
-
From the DynamicID Settings section, click Edit.
-
Click Advanced.
The Two-Factor Authentication with DynamicID window opens.
DynamicID Message
-
Message text to be sent to the user
By default, the text of the message is "Mobile Access DynamicID one time password:". The message can contain the template fields shown in the following table to include the user's name and prompt users to use enter a One Time Password.
For example, the message could say: $NAME, use the verification code $CODE to enter the portal.
Parameter
Meaning
$NAME
User name used in the first phase of authentication to the portal.
$CODE
Replaced with the One Time Password.
By default,
$CODE
is added to the end of the message.
DynamicID Settings
-
Length of one time password - By default, it is 6 digits.
-
One time password expiration (in minutes) - By default, it is 5 minutes. Ensure there is a reasonably sufficient time for the message to arrive at the mobile communication device or email account, for the user to retrieve the password, and to type it in.
-
Number of times users can attempt to enter the one time password before the entire authentication process restarts - By default, the user has 3 tries.
Display User Details
-
In the portal, display the phone number or email address that received the DynamicID - By default, the phone number to which the SMS message was sent is not shown.
Country Code
-
Default country code for phone numbers that do not include country code - The default country code is added if the phone number stored on the LDAP server or on the local file on the Security Gateway starts with 0.
Phone Number or Email Retrieval
-
Active Directory and Local File
Try to retrieve the user details from the Active Directory user record. If unsuccessful, retrieve from the local file on the Security Gateway.
The LDAP account unit is defined in the Users and Authentication > Authentication > LDAP Account Units page of the SmartDashboard Mobile Access tab.
The local phone directory on the Security Gateway is in the
$CPDIR/conf/dynamic_id_users_info.lst
file.Note - If this file does not exist yet, create it.
-
Active Directory Only
Retrieve phone numbers from Active Directory user record without using the local file on the Security Gateway.
The LDAP account unit is defined in the Users and Authentication > Authentication > LDAP Account Units page of the SmartDashboard Mobile Access tab.
-
Local File Only
Retrieve the user details from the local file on the Security Gateway.
The local phone directory on the Security Gateway is in the
$CPDIR/conf/dynamic_id_users_info.lst
file.Note - If this file does not exist yet, create it.
Configuring Resend Verification and Match Word
The DynamicID troubleshooting and match word features are configured in Database Tool (GuiDBEdit Tool) (see sk13009) or dbedit
(see skI3301).
The Database Tool (GuiDBEdit Tool) table to edit depends on the Two Factor Authentication with SMS One Time Password (OTP) setting that you configured in SmartDashboard in the Mobile Access Gateway Properties > Authentication.
-
If your DynamicID One Time Password settings are global across all of your Security Gateways (use the global settings configured in the Mobile Access tab is selected), in the Database Tool (GuiDBEdit Tool) select Other > Mobile Access Global Properties.
-
If your DynamicID One Time Password settings are configured for a specific Security Gateway (this Security Gateway has its own two-factor authentication settings is selected), in the Database Tool (GuiDBEdit Tool) select network_objects and then select the specific Security Gateway you want to edit.
This table shows the DynamicID features that can be configured, and where in Database Tool (GuiDBEdit Tool) to configure them.
Feature |
Attributes to Edit |
Values and their Descriptions |
---|---|---|
Match Word |
|
true: match word provided false: match word not provided (default) |
Resend message |
|
true: enable resend SMS feature (default) false: disable resend SMS feature |
Display multiple phone numbers |
|
true: enable option to choose from multiple phone numbers or email addresses when resending the verification code (default) false: one phone number or email address from the LDAP server or local file is used automatically without choice |
Conceal displayed phone numbers |
Edit these attributes:
and
|
For true: conceal part of the phone number or email address (default) false: display the full phone number or email address For 1-20: Choose the amount of digits to reveal (default is 4) |
After editing the values in the Database Tool (GuiDBEdit Tool):
-
Save all changes: File menu > Save All.
-
Close the Database Tool (GuiDBEdit Tool).
-
Open SmartConsole.
-
Install the Access Control policy on the Security Gateway.
Configuring the Number of Times Messages are Resent
By default, users can request to resend the verification code message three times by clicking the I didn't get the verification code link before they are locked out of the Mobile Access Portal. The number of times the message can be resent is configured using the cvpnd_settings
command from the Mobile Access CLI in expert mode.
The instructions below relate to actually resending the verification code message. The number of times users can try to input the verification code is configured in SmartDashboard in the Two Factor Authentication Advanced window.
To change the number of times the verification code message can be resent to 5, run this command in the Expert mode on the Security Gateway:
|
You can replace "5" with any other number to configure a different amount of retries.
After making the changes, run the "cvpnrestart
" command to activate the settings.
If the Mobile Access Security Gateway is part of a cluster, be sure to make the same changes on each cluster member.
Two-Factor Authentication per Security Gateway
To configure two-factor authentication "Globally on, with custom settings per Security Gateway":
-
Set up basic two-factor authentication.
-
For each Security Gateway, in the Security Gateway Properties, go to Gateway Properties > Mobile Access > Authentication.
-
Configure one of these options:
-
To use the global settings - Select Global settings and the global settings are used from the Authentication to Gateway page of the Mobile Access tab. This is the default.
-
To turn off two-factor authentication for the gateway - Select Custom Settings for this Gateway and click Configure. In the window that opens, do not select the check box. This turns off two-factor authentication for this Security Gateway.
-
To activate two-factor authentication for the gateway with custom settings -Select Custom Settings for this Gateway and click Configure. In the window that opens, select the check box. You must then configure custom SMS Provider Credentials for this Security Gateway. Optionally, configure Advanced options.
-
-
Repeat step 2 and step 3 for all other Security Gateways.
-
Install the Access Control policy.
Two-Factor Authentication per Application
To configure two-factor authentication per application:
-
In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.
SmartDashboard opens and shows the Mobile Access tab.
-
Configure basic two-factor authentication (see Basic DynamicID Configuration for SMS or Email).
-
Configure the phone directory.
-
Configure the application settings in Mobile Access tab > Authentication.
-
Configure the Mobile Access Security Gateways to let the mobile devices use DynamicID.
-
-
Configure the Mobile Access Applications.
-
In the Protection Level window, from the navigation tree click Authentication.
-
Select User must successfully authenticate via SMS.
-
Click OK.
-
-
Assign the protection level to Mobile Access applications that require Mobile Access Applications.
-
Click Save and then close SmartDashboard.
-
In SmartConsole, install the Access Control policy.
Changing the SMS Provider Certificates and Protocol
By default, it is recommended to use a secure (https) protocol for communication with the SMS provider. Mobile Access also validates the provider server certificate using a predefined bundle of trusted CAs.
If your SMS provider uses a non-trusted server certificate you can do one of the following:
-
Add the server certificate issuer to the trusted CA bundle in the
$CVPNDIR/var/ssl/ca-bundle/
and run this command in the Expert mode:$CVPNDIR/bin/rehash_ca_bundle
-
Ignore the server certificate validation by editing the
$CVPNDIR/conf/cvpnd.C
file and replacing the "SmsWebClientProcArgs
" value with("-k")
.
If your SMS provider is working with the non-secure HTTP protocol, edit the file $CVPNDIR/conf/cvpnd.C
and replace the "SmsWebClientProcArgs
" value with ("")
.
How the Security Gateway Searches for Users
If you configure authentication for a blade from the main Security Gateway Legacy Authentication page, the Security Gateway searches for users in a standard way when they try to authenticate.
The Security Gateway searches in this order:
-
The internal users database.
-
If the specified user is not defined in this database, the Security Gateway queries the User Directory Check Point Software Blade on a Management Server that integrates LDAP and other external user management servers with Check Point products and security solutions. (LDAP) servers defined in the Account Unit one at a time, and according to their priority.
If more than one Account Unit exists, the Security Gateway searches in all at the same time. .With multiple servers, the priority for servers can be set only in the scope of one account unit, but not between several account units.
-
If the information still cannot be found, the Security Gateway uses the external users template to see if there is a match against the generic profile. This generic profile has the default attributes applied to the specified user.
Session Settings
To open the Session window:
-
In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.
SmartDashboard opens and shows the Mobile Access tab.
-
From the navigation tree, click Additional Settings > Session.
Simultaneous Logins to the Mobile Access Portal
Having a single user logged in to Mobile Access more than once, from two different locations for example, is a potential security issue.
Simultaneous login prevention enables a Security Gateway to automatically disconnect a remote user who is logged more than once.
When simultaneous login prevention is enabled, and a user's authentication information used to log in from two different computers, only the later login is considered legitimate, and the earlier session is logged out.
|
Note - The Simultaneous Login is not supported for the SNX client when the Office Mode Method is configured to allocate IP addresses from the |
Configuring Simultaneous Login Prevention
Simultaneous login prevention is configured in SmartDashboard from the Mobile Access tab by selecting Additional Settings > Session.
The options are:
-
User is allowed several simultaneous logins to the Portal
Simultaneous login detection is enabled. This is the default option.
-
User is allowed only a single login to the portal
Inform user before disconnecting his previous session (option is not selected)
The earlier user is disconnected and the later user is allowed. The earlier user is logged out. For Mobile Access Portal users, the following message appears:
"Your Mobile Access session has timed out. would you like to sign in again now?". The later user is not informed that an earlier user is logged in.
-
User is allowed only a single login to the portal (option selected)
Inform user before disconnecting his previous session(option selected)
The later user is informed that an earlier user is logged in, and is given the choice of canceling the login and retaining the existing session, or logging in and terminating the existing session. If the existing session is terminated, the user is logged out with the message:
"Your Mobile Access session has timed out. would you like to sign in again now?".
Tracking of Simultaneous Logins
To track simultaneous login events, select All Events in the Tracking section of the Additional Settings > Session page.
When the Security Gateway disconnects a user, the Security Gateway records a log of the disconnection, containing the connection information of both logins.
All disconnect and connect events create a corresponding entry in the traffic log. The following values of the authentication status field relate to simultaneous logins:
-
Success - User successfully logged in. Existing active sessions were terminated.
-
Inactive - User successfully authenticated, but existing sessions need to be terminated prior to logging on.
-
Disconnected - An existing user session has been terminated because the same user has logged on to another session.
Simultaneous Login Issues
These issues may arise in connection with simultaneous login:
Endpoint Connect - Simultaneous Login Issues
For Endpoint Connect users, Mobile Access does not prevent simultaneous login. This is equivalent to the User can have several simultaneous logins to the portal option. An Endpoint Connect user cannot log out another user with the same user name, and cannot be logged out by another user with the same user name.
SecureClient Mobile - Simultaneous Login Issues
With User can have only a single simultaneous login to the portal selected and Inform user before disconnecting previous sessions not selected SecureClient Mobile users can be logged off by another user, and can log off other users.
However, the Inform user before disconnecting his previous session option does not work, because no message can be sent to those users. User can be logged off, but cannot log off other users.
Other Simultaneous Login Issues
-
When a session is disconnected by another user and SSL Network Extender A secure connectivity framework for remote access VPN to a corporate network. SSL Network Extender uses a thin VPN client installed on the user's remote computer that connects to an SSL-enabled web server on a VPN Gateway. Acronym: SNX. application mode client is being used, the SSL Network Extender window remains open, while the session is disconnected. Similarly, when a session is disconnected by another user and Secure Workspace is being used, Secure Workspace remains open, while the session is disconnected.
-
When a session is disconnected by another user and Citrix is being used, the Citrix window remains open, while the session is disconnected.
-
All current sessions are deleted when changing the section from User can have only a single login to the Portal to User is allowed several simultaneous logins to the Portal.
Session Timeouts
Once authenticated, remote users work in a Mobile Access session until they log out or the session terminates. Security best practices provide for limiting the length of active and inactive Mobile Access sessions to prevent abuse of secure remote resources.
Note - Mobile Access uses the system time to keep track of session timeouts. Changing the system time may disrupt existing session timeouts. Therefore, it is recommended to change the system time during low activity hours.
Mobile Access provides two types of session timeouts, both of which are configured in SmartDashboard from the Mobile Access tab by selecting Additional Settings > Session.
-
Re-authenticate users every is the maximum session time. When this period is reached, the user must log in again.
The default value is 60 minutes. Changing this timeout affects only future sessions, not current sessions.
-
Disconnect idle sessions after is the disconnection time-out if the connection remains idle.
The default value is 15 minutes. When users connect via SSL Network Extender, this timeout does not apply.
For Capsule Clients:
-
Go to SmartDashboard > Mobile Access tab > Capsule Workspace Settings > Mobile Profiles.
-
Create or edit the applicable profile.
-
In the Access Settings section, configure the applicable value in the Session timeout field.
Roaming
The Roaming option allows users to change their IP addresses during an active session.
Note - SSL Network Extender users can always change IP address while connected, regardless of the Roaming setting.
Tracking
Configure Mobile Access to log session activity, including login attempts, logouts, timeouts, activity states and license expiration warnings.
Securing Authentication Credentials
Having multiple users on the same machine accessing the Mobile Access Portal can be a security hazard. A user logged in to the Mobile Access Portal can open a new browser window and get the access of the earlier session. Then the user can browse directly to the Mobile Access Portal without entering the login credentials again.
To make sure authentication credentials are not stolen by others, recommend to users that they log off or close all browser windows when done using a browser.
Mobile Access Authentication Use Cases
Use Case: Two Factor Authentication with Certificates on Security Gateways
You can configure two factor authentication with certificate on a Security Gateway in these ways:
-
Create a new Login Option with Personal Certificate as the first factor and one or more additional methods that you choose as additional factors.
-
Use the default Login Option, Cert_Username_Password, which includes a personal certificate as the first factor, and username and password as the second factor.
To create a new multi-factor login option that includes certificates:
-
Open the Security Gateway object.
-
Click Mobile Access > Authentication.
-
In the Multiple Authentication Clients Settings table, click Add to create a new option.
-
Click New.
-
In the Multiple Login Options window, enter the Login Option's Name and Display Name.
The Display Name represents this Login Option to the user upon login and can be a descriptive name.
-
Under Authentication Methods, click Add to add the first factor.
-
In the Authentication Factor window, select Personal Certificate. Note that Personal Certificate must be the first authentication factor.
-
Configure the Authentication settings.
-
Click OK.
-
-
Under Authentication Methods, click Add to add the second factor.
-
In the Authentication Factor window, select RADIUS, SecurID, DynamicID or Username and Password.
-
Configure the Authentication settings, if necessary.
-
Click OK.
-
-
To apply this Login Option only to the Mobile Access Portal or only to Capsule Workspace on mobile devices, under Usage in Gateway, select one or both client types.
-
Click OK.
-
Install the Access Control policy.
To use the built-in default Login Option Cert_Username_Password:
-
Open the Security Gateway object.
-
Click Mobile Access > Authentication.
-
In the Multiple Authentication Clients Settings table, click Add.
-
Select Cert_Username_Password from the list.
-
To apply this Login Option only to the Mobile Access Portal or only to Capsule Workspace on mobile devices:
-
In the Multiple Authentication Clients Settings table, select Cert_Username_Password and click Edit.
-
Under Usage in Gateway, select one or both client types.
-
-
Click OK.
-
Install the Access Control policy.
Note - The Login Options configured in the Multiple Authentication Clients Settings list are only available to clients that support multiple login options. To see which clients support the new multiple login options, see sk111583.
Use Case: Users Selecting a Login Option on Security Gateways
When more than one Login Option is configured, and users connect with clients that support Multiple Login Options, users select a Login Option to use when they log in.
In the Mobile Access Portal, in the login page, users see a drop-down list with all available login options, shown by their Display Name.
In the Capsule Workspace mobile application, users select the Login Option on the first connection to the Security Gateway. On subsequent connections, the same login option is shown automatically.