User Authentication and Session Management in Mobile Access

User Authentication to the Mobile Access Portal

To enter the Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Portal and get access to its applications, users defined in SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. must authenticate to the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. Authentication ensures that a user is who he or she claims to be. Users authenticate using one or more of these authentication schemes:

  • Username and password - Users enter a user name and password.

  • Client Certificates - Digital Certificates are issued by the Internal Certificate Authority or by a third party OPSEC certified Certificate Authority.

  • RADIUS Server - Remote Authentication Dial-In User Service (RADIUS) is an external authentication scheme. The Security Gateway forwards authentication requests by remote users to the RADIUS server. The RADIUS server, which stores user account information, authenticates the users. The RADIUS protocol uses UDP for communications with the Security Gateway. RADIUS Servers and RADIUS Server Group objects are defined in SmartDashboard.

    For more about configuring a Security Gateway to use a RADIUS server, see the R82 Security Management Administration Guide.

  • SecurID - SecurID is a proprietary authentication method of RSA Security. An external SecurID server manages access by changing passwords every few seconds. Each user carries a SecurID token, a piece of hardware or software that is synchronized with the central server and displays the current password. The Security Gateway forwards authentication requests by remote users to the RSA Authentication Manager.

    For more about configuring a Security Gateway to use SecurID, see the R82 Security Management Administration Guide.

  • DynamicID One Time Password - DynamicID One Time Password can be required as a secondary or later authentication method (not the first). When this is configured, users who successfully complete the first-phase or phases of authentication are challenged to enter an additional credential: a DynamicID One Time Password (OTP). The OTP is sent by email or text message to a mobile phone, or other mobile communication device. See Multi-Factor Authentication with DynamicID.

  • Defined on user record (Legacy Authentication) - The authentication method for each user is defined on the user record. For internal users, it is in the Authentication page of the User object properties. For LDAP users, it is on the user record in LDAP.

A user who tries to authenticate with an authentication scheme that is not configured for the Mobile Access Security Gateway will not be allowed to access resources through the Security Gateway.

Note - Legacy Mobile Access Policy (configured in SmartDashboard) does not support users configured on an LDAPS server.

Compatibility with Older Clients

Older clients connect with the same login options available on Security Gateways R77.30 and lower. If you upgrade all or most clients to versions that support multiple login options, you can block older clients from connecting. After you do this, only clients that support multiple login options can connect to the Security Gateway.

By default, Allow older clients to connect to this gateway is selected in Mobile Access > Authentication. If you clear the option, older clients are blocked.

You can choose if newer clients that support multiple login options can connect with the authentication settings defined for older clients.

Configuring the Authentication Method for Newer Clients

To block newer clients from using the authentication method defined for older clients:

  1. In the Gateway Properties, select Mobile Access > Authentication or VPN Clients > Authentication.

  2. In the Compatibility with Older Clients section, click Settings.

    The Single Authentication Clients Settings window opens.

  3. Clear Allow newer clients that support Multiple Login Options to use this authentication method.

  4. Click OK.

  5. Install policy.

To let newer clients connect to the Security Gateway with the authentication settings defined for older clients:

Select Allow newer clients that support Multiple Login options to use this authentication method.

Configuring Authentication Settings for Older Clients

To let older clients connect to the Security Gateways R80.10 and higher:

  1. In the Gateway Properties, select Mobile Access > Authentication or VPN Clients > Authentication.

  2. Select Allow older clients to connect to this gateway.

    If this is not selected, older clients cannot connect to the Security Gateway.

To change the authentication method for older clients:

  1. In the Gateway Properties, select Mobile Access > Authentication or VPN Clients > Authentication.

  2. In the Compatibility with Older Clients section, click Settings.

    The Single Authentication Clients Settings window opens.

  3. Change the Display Name to change the way the authentication method is shown in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

  4. Select an Authentication method.

  5. Click Customize to change the description of fields that are shown to users in the login window. See the "Customize Display Settings" section.

  6. To require DynamicID with the selected authentication method, select Enable DynamicID. After you select this, you must configure the DynamicID settings for the Security Gateway from Authentication > DynamicID Settings > Edit.

    See Multi-Factor Authentication with DynamicID.

  7. Define the settings for Capsule Workspace:

    • Select Require client certificate to require Capsule Workspace to always use client certificates.

    • Select Allow DynamicID to require DynamicID in addition to the selected authentication method. After you select this, you must configure the DynamicID settings for the Security Gateway from Authentication > DynamicID Settings > Edit.

      See Multi-Factor Authentication with DynamicID.

  8. Click OK.

  9. Click OK.

  10. Install policy on the Security Gateway.