Supported authentication
methodsThis technical integration guide describes how to integrate Check Point Security Manager Gateway and Identity as a Service. The aim of this integration is to provide strong, second-factor authentication for your Check Point Security Manager Gateway using Identity as a Service.
Before you begin, review the following:
Supported authentication
methods| Authentication method | Notes | Supported protocols |
| Password | Password authentication is a first-factor authentication with Identity as a Service's password feature. |
PAP, MS-CHAP v2 |
| RADIUS | RADIUS authentication is a first-factor authentication with a RADIUS server. |
PAP, MS-CHAP v2 |
| Grid | Two-step authentication only |
PAP, MS-CHAP v2 |
| Token | Identity as a Service supports response-only tokens. One-step or two-step authentication (including token push authentication). Note: Challenge/response tokens are unsupported with MSCHAPv2. |
EAP-GTC or EAP MSCHAPv2 |
| Temporary Access Code | Grid or token authentication must be configured. |
PAP, MS-CHAP v2 |
| OTP (One Time Password) by SMS or Token | Two-step authentication only |
EAP-GTC |
| Knowledge-based authentication | The RADIUS proxy only supports a single question and answer. For CHAP and MS-CHAP, the answer must be an exact match. Two-step authentication only |
PAP, MS-CHAP v2 |
Entrust Soft Token push authentication |
Mobile Soft Token push authentication (supports response-only tokens for second-factor authentication. | PAP, MS-CHAP v2
Classic token authentication can be used for fallback. |
PrerequisitesComplete the following steps before integrating your authentication system with Identity as a Service:
1. Install and configure your first-factor authentication resource using the documentation provided by the vendor. The first-factor authentication resource can be a RADIUS server or an external authentication resource (a Local DB, LDAP-compliant directory or Windows domain controller through Kerberos).
2. Install and configure the RADIUS appliance using the documentation provided by the vendor. The device must be able to route traffic before integrating with Identity as a Service.
3. Install and configure Identity as a Service and an Identity as a Service Gateway (containing a RADIUS proxy agent). Take note of the shared secrets, IP addresses, and ports you use. You need this information to configure the RADIUS appliance and first-factor authentication resource.
4. If you want to configure your RADIUS appliance and first-factor authentication resource to recognize Identity as a Service user groups, you must define the Identity as a Service user groups first.
Complete the following steps to integrate Check Point Security Gateway with IDaaS.
This section describes how to configure and integrate the Check Point Security Gateway with Identity as a Service. Check Point Security Gateway is used for Mobile Access (SSL VPN through a Web browser) and the IPSec VPN (Endpoint Security Client).
Step 1.1: Set
the static IP address to access the Check Point Security GatewayCheck Point Security Gateway systems ship with a default network configured IP address of 192.168.1.1 on the management interface. You can access the web-based configuration utility through the management port, and configure the unit directly. If the default IP address is unsuitable for your network, define an IP on an administrative workstation in the same IP network as the Checkpoint system. Once the utility finishes and the system reboots, these default IP addresses are replaced with the information that you entered in the First Time Configuration Wizard.
Use the following procedure to set the IP address for the computer or workstation to connect to the Check Point Security Gateway controller.
To set the static IP address to access the Check Point Security Gateway management port IP address
1. To change the computer’s IP address in Windows, type network and sharing in the Search box in the Start Menu and select Network and Sharing Center.
● If you are using Windows 8.x it will be on the Start Screen.
● If you are using Windows 7 or 10 it will be on the Start Menu.
2. In the Network and Sharing Center, click Change adapter settings.
3. Right-click your Local Area Connection and select Properties to display the Local Area Connection Properties page.
4. In the Local Area Connection Properties page, select Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
The Internet Protocol Version 4 (TCP/IPv4) Properties page appears.
5. In the Internet Protocol Version 4 (TCP/IPv4) Properties page, do the following:
a. Select the Use the following IP address radio button.
b. Enter the correct IP address.
c. Enter the Subnet mask.
d. Enter the Identity as a Service gateway that corresponds with Check Point Security Gateway Management port network and subnet.
6. Click OK to close the Local Area Connections Properties page.
7. Open a command prompt and type ipconfig to see whether the network adapter settings have been successfully changed.
Note: Before you configure Check Point Security Gateway and manage the system, you need to connect the unit to a management workstation or network.
Step 1.2: Run
the Check Point First Time Configuration WizardAfter you connect the management workstation to the management interface, open the configuration utility and begin configuring the system. When you start the utility from a Web browser, use the selected default IP address as the application URL.
To start the configuration utility in a web browser
1. From a workstation attached to the network on which you have configured the Management Interface, type the following URL syntax where <https://management_IP_address> is the address you configured for device management.
For example: https://192.168.1.1 (which is the default). The Check Point Security Gateway Configuration Utility opens.
2. At the login prompt, enter the default user name admin and password admin.
The First Time Configuration Wizard page appears.
3. Click Next. The Deployment Options page appears.
4. Select the option Continue with Gaia R77.30 configuration and then click Next. The Management Connection page appears.
5. Optional: Change the Management IP Address, enter the Management IP address, Subnetmask, and Default Gateway.
6. Click Next. The Device Information page appears.
7. Enter the Host Name, Domain Name, and Primary DNS Server and then click Next. The Date and Time Settings page appears.
8. Set the Date, Time, and Time Zone and then click Next. The Installation Type page appears.
9. Select Security Gateway or Security Management and then click Next. The Products page appears.
10. Review the options and then click Next. You are prompted to enter a username and password.
11. Enter the User Name and Password for the Security Management Administrator and then click Next. The Security Management GUI Clients page appears.
12. Select Any IP Address, if you want to access the Management IP address from any host and then click Next. The First Time Configuration Wizard Summary page appears.
13. Click Finish. The configuration process confirmation page appears.
14. Click Yes. The Configuration Process progress page appears. It takes few minutes to complete First Time Configuration Wizard and then Check Point reboots automatically.
Step 1.3: Assign
the IP addresses to internal and external interfaces1. After Check Point reboots, access the Check Point Management IP again at https://192.168.1.1 (or the IP addressed you assigned to it) and enter the new credentials of the administrative user if you changed them when you used the First Time Configurations Wizard.
The Check Point Management GUI appears.
2. Click Network Interfaces, select eth1 and then click Edit. The Edit eth1 page appears.
3. In the Edit eth1 page, do the following to set up the internal corporate network communication (for example, RADIUS authentication and application access):
a. Comments Internal, IP address and Subnet Mask for Internal / Corporate network communication i.e. RADIUS authentication and applications / resource access.
b. Check the Enable box to enable the eth1 interface.
c. Select Obtain IPv4 address automatically to obtain the IP address from a corporate DHCP server.
- or -
Select Use the following IPv4 address to enter a static IP address and subnetmask.
4. Click OK to return to the Network Interfaces page.
5. Click Refresh to see the obtained IP.
6. In the Network Interfaces page, select eth2 and then click Edit. The Edit eth2 page appears.
7. In the Edit eth2 page, do the following to set up remote users VPN access through the Internet:
a. Check Enable to enable the eth2 interface and select Obtain IPv4 address automatically to obtain the IP address from the ISP.
- or -
b. Select Use the following IPv4 address to enter a static IP address and subnetmask (Public IP).
8. Click OK to return to the Interfaces page.
9. Click Refresh to see the obtained IP.
Step 1.4: Download
the SmartConsoleTo configure the RADIUS application integrated with your Identity as a Service account, you need to download the Smart Console.
To download the SmartConsole
1. Login to Check Point Management GUI.
2. In the menu, expand Maintenance and select Download SmartConsole. The Download SmartConsole page appears.
3. Click Download.
4. Save the Setup file and install it on the client computer.
When using an Identity as a Service RADIUS application to authenticate Check Point users, you must configure the VPN to recognize the Check Point as a client. You must also specify a shared secret for the RADIUS application used to authenticate the client request.
The Identity as a Service RADIUS application must be configured with the Check Point Security Gateway. This section describes how to add an Identity as a Service RADIUS application within your Check Point Security Gateway settings.
Step 2.1: Configure
a connection between an Identity as a Service RADIUS application on Check
Point Security Gateway1. Start the Check Point SmartDashboard R80.10 on a workstation or client computer that is already installed.
2. In the Login window, enter the information shown in the following table and then click Login.
| Username | admin |
| Password | admin or the password when you configured the Check Point Gateway as part of the First Time Configuration Wizard. |
| Server name or IP Address | Check Point Security Gateway Management IP 192.168.1.1 or the IP address that you set. |
Step 2.2: Add
the Identity as a Service RADIUS server host1. On the Check Point SmartConsole main page, right-click Network Objects.
2. Click Host.
The New Host page appears.
3. Type an IdentityGuard Server name of your choice and the IPv4 address of the server.
4. Click OK.
The Identity as a Service RADIUS host has been created. You can find it at Network Objects > Hosts.
Step 2.3: Create
a RADIUS server object
To define the RADIUS host, you need to create RADIUS Server objects to define the host, service, version, and protocol to be used. Once you create the RADIUS server object, it can be used to specify a RADIUS object for authentication schemes used for user authentication.
1. On the Check Point Smart Dashboard window, right-click Servers > More > RADIUS.
The New RADIUS page appears.
2. Type a RADIUS object name of your choice.
3. In the New RADIUS page, do the following:
a. In the Name field, enter the name of the RADIUS server object, for example, Identity as a Service.
b. From the Host drop-down list, select the RADIUS server host you configured in the section Adding the Identity as a Service RADIUS server host.
c. From the Service drop-down list, select the NEW-RADIUS associated with port 1812.
d. In the Shared Secret field, enter the shared secret value of your Identity as a Service gateway.
e. From the Version drop-down list, select RADIUS ver 1.0 (or the version of your choice).
f. From the Protocol drop-down list, select PAP/MS-CHAP v2.
4. Click OK.
The RADIUS object is created and appears in the RADIUS list.
Step 2.4: Create
usersYou must create users in Check Point Security Gateway to authenticate to Identity as a Service. This is required to log in to the Mobile Access portal or VPN client and access their applications.
Create a user
1. On the Check Point SmartConsole main window, right click on Users
2. Click User.
3. The New User windows appears. Select Default from the Choose template drop-down list.
4. Click OK.
The New User page appears.
5. Click General.
6. Enter the following user information:
● user name for example: user1
● the mobile number
● email address.
7. Click Authentication, and then do the following:
a. Select RADIUS from the Authentication method drop-down menu.
b. From the RADIUS Server drop-down list, select the RADIUS object you created in the section Step 3: Create a RADIUS server object.
8. Click OK.
Step 2.5: Create
a user groupA user group is a group of users with either related responsibilities or who perform related tasks. You can specify a user group in policy rules in the same way you do for individual users.
Note: Creating a group is necessary if you want to allow some of your users to do certain things but not others. A firewall does not allow you to define rules for individual users, but you can define rules for groups.
Create a user group
1. On the Check Point Smart Dashboard main window, right-click Users.
2. Click User Group.
The New User Group page appears.
3. In the New User Group page, do the following:
a. In the Name field, enter a name for the user group, for example, Identity as a Service_Users.
b. Click the + sign, in the list of Available Members.
c. Select the members that you want to add to the group
d. Click + next to the user. The user is added to the user group.
e. Click X to close the user list window.
4. Click OK.
You have now created a user group and added to the group.
Step 2.6: Set
the topologySetting the topology helps you define which interface leads to which network. This setting is done manually with the network or group object so that it represents the network or subnet behind each port. This procedure describes how to set the topology for both internal and external networks.
Set the topology for the internal network
1. Go to the Check Point Gateway Properties page, double-click CheckPoint Gateway. The Check Point Gateway Properties page appears.
2. In the left-pane, click Network Management.
3. In the right-pane, click Get Interfaces.
Note: If you see Topology and Anti Spoofing warning dialog boxes, click Yes.
The Get Topology Results page appears.
4. Click Accept.
The interfaces appear with default topology settings.
5. Optional: Modify the interface settings if they do not match the settings of each machine configured on your PC.
6. Optional: Define the topologies for each machine if they have not been defined.
7. Select eth1.
8. Click Edit. The Interface Properties page appears.
9. Click Modify.
10. In the Interface Topology Settings page, do the following:
a. Select This Network (Internal) to lead to the local network.
b. Select Perform Anti-Spoofing based on interface topology.
c. Select Detect from the Anti-Spoofing action is set to drop-down list.
11. Click OK.
12. Click OK again to close the eth1 topology page.
Set the topology for the external network
1 In the Network Management right-pane, in the list of topologies, select the external network you added previously, for example, eth2.
2 Click Edit.
3 Click Modify.
The Interface eth2 Topology Settings page appears.
4 In the Interface Topology Settings page, do the following:
a. Select Internet (External) to lead to the Internet.
b. Select Perform Anti-Spoofing based on interface topology.
c. Select Detect from the Anti-Spoofing action is set to drop-down list.
5 Click OK.
6 Click OK again to close the interface properties.
Note: If the Management interface eth0 is set to external, set the interface to eth1 before making changes.
Check Point Mobile Remote Access allows users to connect to corporate applications over the Internet with a PC. The solution provides enterprise-grade remote access through IPsec and SSL VPN, allowing you simple, safe, and secure connectivity to your corporate email and corporate applications.
Complete the following steps to configure Check Point Security Gateway:
Step 3.1: Configure
mobile accessConfigure Mobile Access
1. On the Check Point Smart Dashboard main window, double click on the Check Point Gateway.
The Check Point Gateway properties page appears.
2. Select General Properties.
3. In the IPv4 Address field, enter the IPv4 address of the external interface for remote access.
4. In the left-pane, select Mobile Access from Network Security (1).
5. On the Mobile Access page, click Next. The Web Portal page appears.
6. In the Web Portal page, select the Mobile Access portal URL from the Main URL drop-down list, and then click Next. The Applications page appears.
7. In the Applications page, deselect Mobile Mail.
8. Click Next. The Active Directory Integration page appears.
9. Select the I don’t want to use active directory now check box.
10. Click Next. The Application Test page appears.
11. In the Users page, click Add. Select the Identity as a Service user group you previously created.
12. Click Next.
13. Click Finish.
14. Click OK on the Check Point Gateway -- Checkpoint-VPN page.
Step 3.2: Configure
the portal settingsYou need to configure the mobile portal so that the remote user is able to access it through an external IP address.
Configure the portal settings
1. Go to Check Point Gateway Properties page, in the left-pane, click Mobile Access > Portal Settings. The Portal Settings page appears.
2. In the Main URL field, enter https://<external_ip>/sslvpn.
3. Click OK.
Step 3.3: Configure
RADIUS authentication for mobile accessFor a user to connect to the corporate applications over the Internet using the web, a mobile device, or a desktop computer, the user needs to authenticate first in order to have access.
Configure RADIUS authentication for mobile access
1. Go to Check Point Gateway Properties page and in the left-pane, click Mobile Access > Authentication. The Authentication for Mobile Access page appears.
2. In the right pane, click Settings.
3. Under Authentication Method, select RADIUS, and then specify the RADIUS server you created earlier.
4. Click OK.
5. Click OK again at the CheckPoint Gateway Properties page.
6. Click Install Policy to apply the configuration changes.
The Unpublished changes dialogue box appears.
7. Click Publish & Install. The Install Policy page appears.
8. Click Install.
Step 3.4: Create
the mobile access policyThe Mobile Access policy applies to the Mobile Access portal. Users can access applications remotely as defined by policy rules.
Create the mobile access policy
1. In the Check Point SmartDashboard main page, click Mobile Access.
2. In the left pane, click Policy. The Policy page appears.
3. In
the Policy page, click the
icon.
4. Under the Users section, click the + icon.
5. Add the RADIUS Users Group that you created in the section Creating a user group.
6. In the Applications column, click + icon, and then select the application that is selected by default, for example, Corp_Web_104.21.20.
7. In the Install On column, click + icon, and then select the Check Point Security Gateway, checkpoint-VPN.
Step 3.5: Configure
the remote access VPN (IPsec)Configure the Remote Access VPN
1. Go to the Check Point Gateway Properties page and in the left-pane, select General Properties.
2. Under Network Security, select IPsec VPN.
3. In the left-pane expand VPN Clients and select Authentication. The Authentication for VPN Clients page appears.
4. In the right-pane, click Settings. The Single Authentication Client Settings page appears.
5. Select the RADIUS radio button.
6. Select the RADIUS Server object that you created in the in Step 3: Create the RADIUS server object.
7. Click OK.
8. Click OK again on the Check Point Gateway properties page.
Step 3.6: Configure
firewall rules for remote and mobile access VPN
Check Point Security Gateway should have at least one firewall blade installed that serves as an entry point to the corporate network. The firewall rule is a policy definition of what is allowed and what is blocked by the firewall. Rules use objects. For example, networks objects can be used in the source and destination of rules.
Configure firewall policies
1. Click Security Policies.
2. Under Access Control, select Policy.
3. In the Action column, right-click and select Accept from the Edit Properties drop-down list.
Note: A sample firewall rule to allow any traffic for this integration is available by default. Refer to the Check Point Security Gateway documentation to define the various types of policies to allow specific applications, services, port numbers, and user authenticators.
4. Click Install Policy to apply the configuration changes. The Unpublished changes dialog box appears.
5. Click Publish and Install. The Install Policy page.
6. Click Install.
The policy installation process does the following:
● Performs a heuristic verification on rules to ensure that they are consistent and that no rule is redundant.
● Confirms that each of the Security Gateways on which the rule is enforced (known as Install On object) enforces at least one of the rules.
● Converts the Security Policy into an Inspection Script and compiles this script into an Inspection Code.
● Distributes Inspection Codes to the selected installation targets.
Install a policy
1. In the Check Point SmartDashboard main page, click Install Policy on the top icon bar.
The Install Policy page appears.
2. In the Install Policy page, in the Network Security column, select the option for your device (for example, Checkpoint-VPN), and then click OK.
3. When the installation has completed successfully, click Close.
Step 4.1: Add
Check Point Security Gateway to Identity as a ServiceNote: Entrust recommends that when multiple RADIUS applications are configured that each RADIUS application is given a unique shared secret.
Integrate a RADIUS client
1. Click
> Security > Applications. The Applications
page appears.
2. Click Add. The Select an Application Template page appears.
3. Under RADIUS and VPN Integrations, click Check Point. The Add Check Point page appears.
4. Optional: Edit the Application Name.
5. Optional. Enter a Description for your application.
6. Optional. Add a custom application logo as follows:
a. Click 
next
to Application Logo. The Upload
Logo dialog box appears.
b. Click 
to select an image file to upload.
c. Browse to select your file and click Open. The Upload Logo dialog box displays your selected image.
d. If required, resize your image.
e. Click OK.
7. Click Next. The Setup page appears.
8. Click Add to next to Hosts to add the host name of the VPN server. The RADIUS agent receives the request on this host. The RADIUS Agent on the Gateway determines the RADIUS application the request is for based on the host name and port.
9. Enter the host name in the Host dialog box and then click OK. Repeat this step to add more host names.
10. In the Port field, enter the port on which the RADIUS agent accepts messages.
Tip: Do not enter 8443 as the port number for this application. Port 8443 is used by the Entrust Identity Enterprise agent in your Gateway.
Attention: The RADIUS agent
uses the host name that sent a request and the port number that it
received the request from to determine which RADIUS application made
the request. Because of that:
–Two RADIUS applications with the same port value cannot share any
host names.
–Two RADIUS applications that have one or more matching host names
must have different port values.
11. In the Shared Secret field, enter the shared secret that is used by your VPN server. This is the RADIUS secret shared between your VPN server and the RADIUS server. The shared secret value must match a shared secret in your RADIUS client.
12. From the Select RADIUS Agent drop-down list, select the name of the Gateway containing the RADIUS agent to which this application will be assigned.
13. Optional: From the Select RADIUS Attribute for IP Address drop-down list, select the RADIUS attribute that corresponds to your IP location.
14. In the Challenge Response Queue Max Time field, set the number of seconds that the RADIUS agent waits for a response to first-factor authentication. The default value is 180 seconds.
15. In the Challenge Response Queue Max Size field, set the maximum number of second-factor challenge requests allowed in the queue of your RADIUS application. The default value is 1000 requests. The maximum value is 10,000.
16. In the Request Cache Timeout field, set the number of seconds to cache requests. The default value is 10 seconds.
17. From the Character Set drop-down list, select the character set used to decode and encode string values (including the user ID and password values) in RADIUS messages. The options are UTF-8 and ISO-8859-1.
18. Optional: Select Log RADIUS messages to enable RADIUS message logging. When enabled, messages for the RADIUS agent are logged to the same log file as the gateway logs.
19. Optional:
Enable the Authentication Settings.
Select Enable Push Authentication Fallback if you want to authentication to fallback to another authenticator in the event of a failure. If required, set the Push Authentication Fallback Timeout to the number of minutes before the push authentication times out.
Select When authenticating the user will be asked to select their second-factor authenticator. When selected, after the user responds to the first-factor challenge, they are prompted to select their second-factor authenticator. The list of available second-factor authenticators is set by the resource rule.
The following is a list of supported strings matched to the authentication types:
Grid: grid
Knowledge-based Authentication: kba
One-time password: email, sms, voice
Smart Credential Push: scpush
Temporary Access Code: tac
Token: token
Token push: push
Select Indicate if requests must include the message-authenticator attribute for incoming messages to include the message-authenticator attribute for incoming messages.
Select Indicate if requests must include the message-authenticator attribute for outgoing messages to include the message-authenticator attribute for outgoing messages.
Select Remove domain from user ID for incoming requests to remove the domain value from the user ID during authentication when the user ID provided by the RADIUS client is in the format domain\username and the user ID in IDaaS is in the format username.
Select Indicate if Active Directory password authentication requests are handled by the same Gateway Instance that initiated the request to require that Active Directory password authentication and change requests that are initiated as part of the RADIUS authentication are handled by any Gateway Instance in the same Gateway cluster that initiated it. If disabled, the request is handled by any Gateway Instance.
Select Enable one-step multi-factor authentication. When enabled, the user enters their user ID and then their password and token response in the password field. If you select this option, second factor authenticators available in the resource rule are limited to token and temporary access code.
Enter the One-step multi-factor authentication security token length. This is the length of the token or temporary access code response if you enable one-step multi-factor authentication.
20. Optional.
Add Response Attributes. Response attributes are
returned to the RADIUS application after successful authentication.
Use this setting to configure RADIUS attributes to return information
such as the user's group information to the VPN server.
When adding response attributes, you optionally add group filters. For example:
Example:
Users in IDaaS may belong to one of the following groups CANADA,
US, UK, FRANCE.
The VPN server wants the FilterID attribute returned from the IDaaS
RADIUS agent to be the value NA or EUROPE, depending on whether
the user is in NA (Canada, US) or Europe (UK, France).
To do this, use a RADIUS attribute filter for the FilterID attribute
with a Groups value with the following filters:
- match CANADA, replace NA
- match US, replace NA
- match UK, replace EUROPE
- match FRANCE, replace EUROPE
Set the Response Attributes as follows:
Click
Add. The Add
a Response Attribute
dialog box appears.
Select the RADIUS Attribute ID from the drop-down list. The option you select depends on your VPN vendor.
Select the Value Type from the drop-down list.
To return a static value specific in the RADIUS attribute definition, select Static and enter a Value in the field and then click Add.
To return the user’s group membership, select Group and then optionally do the following:
Click Add to add filters.
Enter the Match and the Replace attribute filters.
Click Add to add more attribute filters.
If you add multiple filters, you can drag and drop them in order of preference.
Select Stop after matching filter if you only want one the filter to return one value. Using the example above, if you want NA to have preference over Europe, make sure to list Canada and US in the list of filters.
Multiple Values Per Attribute, enter the Value Separator and then click Add.
Note: If a user belongs to more
than one group, you can either add a separate attribute to your
RADIUS response for each group or you can combine all of the groups
into a single attribute. For example, if the user belongs to G1,G2,G3
then you would
- return a RADIUS response with three attributes
OR
- return a RADIUS response with one attribute and a value like
“G1,G2,G3” where the , is defined in the Value Separator setting
or a value like “G1 G2 G3” where the Value Separator is defined
as a space.
Attention: The default group separator is a space. If you have group names that are separated by a space, use another separator, such as a comma.
Repeat these steps to add more response attributes.
21. Optional: Configure the EAP Settings to set up the application to use the EAP RADIUS authentication protocol.
a. Select EAP Enabled to allow the RADIUS application to accept EAP messages.
– When enabled, authentication messages with EAP content are treated as EAP requests. The application can accept only EAP authentication requests.
– When disabled, incoming authentication requests are processed by the RADIUS application as a standard RADIUS authentication request (even if the request includes EAP content). In this case, the application can accept only standard RADIUS authentication requests.
b. Select the EAP Protocol from the drop-down list. The options are PEAPv0 with MS-CHAPv2 and PEAPv1 with GTC.
This setting defines the type of EAP authentication protocol that is performed on EAP requests received by the RADIUS application. Consult the configuration requirements of your VPN server to determine which EAP protocol to select.
c. Select Return MPPE Keys to include the MPPE (Microsoft Point-to-Point Encryption) recv and mppe send keys in the Access-Accept message returned during a successful EAP authentication. The setting is enabled by default.
d. Select Use PEAPv1 label when calculating MPPE Keys to use the PEAPv1 label when calculating the mmpe recv and mppe send keys.
e. Leave the Minimum TLS Version, Maximum TLS Version and Allow Weak Ciphers at the default settings unless you have an older VPN and need to configure these settings to allow older versions of TLS or weaker ciphers to interoperate with older VPN servers that do not support the latest versions.
22. Configure the Deprecated Settings if your RADIUS application is connected to a Gateway version older than 3.0. These values are only required for backwards compatibility.
a. Select Token OTP Only, Password with second-factor, or No first-factor as the Authentication Type. This setting defines the level of authentication required to access a RADIUS application that relies on a gateway RADIUS agent configured before release 3.1.
Note: MSCHAPv2 authentication is not supported when No first-factor authentication is configured for the RADIUS application.
23. Click Submit.
Step 4.2: Protect
Check Point Security Access with a resource rule● Resource rules for RADIUS applications only include the Date / Time, Geolocation and Source IP Address condition restriction.
● The Authentication Decision steps that you can select for a RADIUS application resource rule depend on whether the RADIUS application uses EAP RADIUS authentication.
● If the settings of a RADIUS application on Identity as a Service are modified so that the application uses EAP RADIUS authentication, or the type of EAP protocol used is changed, the resource rule associated with the RADIUS application is automatically updated.
● RADIUS applications with no EAP support the following second-factor authenticators: knowledge-based authentication, temporary access code, one-time password, grid, hardware/software token, token push, and smart credential push.
● RADIUS applications with RADIUS MSCHAPv2 support only temporary access code and hardware/software token second-factor authenticators.
● When creating a resource rule for a RADIUS application, you can select EXTERNAL+no second-factor.
● RADIUS applications with RADIUS GTC support the following second-factor authenticators: software/hardware token, one time password, grid, temporary access code, knowledge-based authentication.
Create a resource rule to protect access to a RADIUS application
1. Log in to your Identity as a Service administrator account.
2. Click
> Security
> Resource Rules. The Resource Rules List
page appears.
3. Click + next to the application you want to protect with a resource rule. The Add Resource Rules page appears.
4. Enter a Rule Name and Rule Description for the resource rule.
5. In the Groups list, select the group or groups of users restricted by the resource rule.
These are the groups to which the resource rule applies. If you do not select any groups, by default the resource rule applies to all groups.
Attention: You must maintain the default of all groups if you want to allow external authentication and bypass second-factor authentication for users who do not already exist in Identity as a Service. External Authentication without second-factor is only available to low risk users of RADIUS applications that support External Authentication.
6. Click Next. The Authentication Conditions Settings page appears.
7. If you do not Enable Advanced Risk Factors, do the following:
a. Select the Authentication Flow from the drop-down list. The Authentication Flow flowchart updates based on the selection.
b. Click Submit to save the Resource Rule.
8. If you want to Enable Advanced Risk Factors, complete the remaining steps in this procedure.
9. Select Enable Advanced Risk Factors to add additional risk factors to the resource rule.
10. Select Enable Strict Access for Application to set the resource rule to deny access regardless of the outcome from other resource rules. If this option is disabled for any resource rule that denies access, the user is allowed access if at least one resource rule allows access.
11. For each Advanced Risk Factor, click the Deny option to deny access to the application if the risk factor fails regardless of the results of the other risk factors.
12. Click Date/Time to set the conditions as follows:
a. Select one of the following:
– Allow Date/Time to set when a user can access the application.
– Deny Date/Time to set when the user cannot access the application.
The Date/Time Context Condition Settings appear.
b. Select the Condition Type:
– Specific Date Range Condition—Allows or denies access to the application during a select period of days.
– Time-of-day and/or Day of Week Recurring Conditions—Allows or denies access to the application on a specific time of day, day of the week, or both. Recurring times selected only apply to days not denied.
– Clear Selection—Clears existing Date and Time conditions.
c. Set the Condition Type settings, as follows:
i) Select Use local time zone to use the local time zone or deselect Use local time zone to use the local time zone and begin typing the time zone in the Begin Typing Timezone name field and select the time zone from the drop-down list.
ii) If you selected Specific Date Range Condition, click Start Date to select a start date from the pop-up calendar. Optionally, select the End Date.
iii) If you selected Time-of-Day and/or Day-of-Week, click Start Time and select the start time from the pop-up clock. Optionally set the End Time. You must also select the days of the week for the condition.
d. Click Save to return to the Authentication Conditions Settings page.
13. Click Geolocation to set the Location Condition Settings, as follows:
a. Select Allow or Deny to create an allowed or denied country list.
b. From the Selected Countries drop-down list, select the countries to add or deny access to the application. Repeat until you have added all the desired countries to the list.
c. Select Allow Anonymous IP Address to increase the risk of users authenticating from an anonymous IP.
d. Click Save to save to return to the Authentication Conditions Settings page.
14. Click Source IP Address. The IP Address Risk Setting dialog box appears. Do one of the following:
a. Select Custom and add the required IP Allowed Addresses and IP Denied Addresses.
b. Select IP List Address and select the IP List to allow or deny.
c. Select None to not restrict any IP addresses.
d. Click OK to return to the Authentication Conditions Settings.
15. Define the Location History / Known Locations and Travel Velocity conditions.
The Risk-Based Authentication (RBA) settings of your Identity as a Service account define the location history and travel velocity conditions. See Manage risk-based authentication settings for more information.
16. Set the risk score for application conditions to set the risk percentage a user receives if they fail to meet the condition, as follows:
● Click the dot next to the condition setting and slide the risk scale to the risk percentage
-or-
● Click the 0% and enter the risk points and then click OK.
The default setting is 0%. The Risk percentage determines the authentication requirements as set by the Authentication Decision. When a user attempts to authenticate to an application, the final risk percentage is the sum of all failed conditions.
17. Set the Authentication Decision risk level for Medium Risk and High Risk as follows:
a. Click the risk threshold percentage to the right of Medium Risk or High Risk. The Risk Threshold dialog box appears.
b. Enter the risk percentage.
c. Click OK.
18. Select the Authentication Flows for Low Risk, Medium Risk, and High Risk from the drop-down lists. The Authentication Flows flowchart updates based on your selections.
19. Click Submit to create the resource rule.
Test the integration to ensure that it has been configured properly.
Step 5.1: Test
the authentication using a Web browser (Mobile Access SSL)Test the authentication using a Web Browser
1. Open a web browser in the client computer and enter the following URL:
https:// <IP Check Point FW External Address>/sslvpn i.e. https://10.4.21.73/sslvpn
If you are connecting for the first time, the SSL VPN gateway imposes the installation of the Check Point SSL Extender Active X component. This is a virtual interface that encapsulates all the communication inside an SSL tunnel.
2. In the log in window, in the User name and Password fields, enter the user name that you have defined in Check Point and Identity as a Service in the section Creating a user.
3. Click Sign In. You are prompted to enter a token response.
4. Enter the Entrust CR Token response to the challenge.
5. Click Submit.
The user has authenticated successfully and the Check Point Mobile window appears.
6. Open the Corp Web application and verify the web access of Internet network.
Step 5.2: Test
using Check Point endpoint security client (IPsec)Test using Check Point Endpoint security client
1. Open the Check Point Endpoint Security application.
2. In the log in window, do the following:
a. In the Site field, enter the IP address of the Check Point Security Gateway (External Interface IP).
b. In the Username field, enter the name that you defined in Check Point/ Identity as a Service.
c. In the Password field, enter the password of RADIUS application.
3. Click Connect.
On successful first-factor authentication, Identity as a Service challenges you to enter the response.
4. Enter a response to the grid authentication challenge.
5. Click Connect.
After successful authentication, you should see a Check Point connection succeeded message.
Step 5.3: Test
using Entrust Identity push authenticationTest using the Entrust Identity app for push authentication
1. Log in with the correct first-factor username/password on your RADIUS client.
2. Open the Entrust Identity app on a mobile device.
3. Unlock (log in) using the identity you want to use to respond to the request.
4. Tap Actions.
5. Review the transaction summary details.
6. Tap Confirm.