--- title: Configuring Check Point VPN for PingID multi-factor authentication description: This procedure details the configuration required in your Check Point VPN for integrating PingID multi-factor authentication (MFA). component: pingid page_id: pingid:pingid_integrations:pid_configuring_check_point_vpn_multi_factor_authentication canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_configuring_check_point_vpn_multi_factor_authentication.html revdate: June 10, 2024 section_ids: prerequisites: Prerequisites about-this-task: About this task processing-steps: Processing steps configuring-global-properties: Configuring Global Properties steps: Steps configuring-the-radius-host: Configuring the RADIUS host steps-2: Steps creating-a-udp-entry: Creating a UDP entry steps-3: Steps creating-the-vpn-radius-server: Creating the VPN RADIUS server steps-4: Steps configuring-a-radius-user-profile: Configuring a RADIUS user profile steps-5: Steps result: Result: setting-the-participating-gateways: Setting the participating gateways steps-6: Steps result-2: Result: adding-a-radius-rule: Adding a RADIUS rule steps-7: Steps result-3: Result: result-4: Result: defining-a-mobile-access-rule: Defining a Mobile Access rule steps-8: Steps result-5: Result: result-6: Result: committing-the-changes: Committing the changes steps-9: Steps result-7: Result: signing-on-to-the-check-point-vpn-for-the-end-user: Signing on to the Check Point VPN for the end user steps-10: Steps result-8: Result: result-9: Result: --- # Configuring Check Point VPN for PingID multi-factor authentication This procedure details the configuration required in your Check Point VPN for integrating PingID multi-factor authentication (MFA). ## Prerequisites * You have installed Check Point VPN, including Check Point SmartConsole and SmartDomain Manager. * You have configured the necessary settings in PingOne and PingFederate. For more information, see: * Configuring PingOne for Multi-Factor VPN Authentication * Configuring PingFederate for Multi-Factor VPN Authentication ## About this task The following video describes the Check Point VPN process. **Video (Brightcove)** \ The following image represents a general flow. Actual configuration will vary according to individual company infrastructure considerations and policies. ![A flow chart depicting the relationship between Checkpoint VPN, PingFederate, and PingID.](_images/sfo1564020862427.jpg) ## Processing steps 1. When a user opens their IPSec or SSL VPN login window and enters a user name and password, their details are sent to the RADIUS Server on PingFederate through the VPN. 2. PingFederate authenticates the user's credentials against the LDAP Server as first-factor authentication. 3. After LDAP authentication approval, the RADIUS server initiates second-factor authentication with PingID. If authentication is denied, the user's VPN window displays an error message. ## Configuring Global Properties To configure Check Point VPN for PingID multi-factor authentication (MFA), you must configure Global Properties. ### Steps 1. From the Windows **Start** menu, open the **Checkpoint SmartDashboard**. 2. Enter your username and password and click **Login**. 3. In the Check Point SmartDashboard, in the **Checkpoint** menu bar, click the **Menu** icon (![A screen capture of the Menu icon in the Check Point SmartDashboard.](_images/fzv1564020997545.jpg) ). Go to **Policy → Global Properties**. 4. Click **Smart Dashboard Customization**. 5. Click **Configure**. 6. Open the configuration tree, and go to **FireWall-1 → Authentication → RADIUS**. ![A screen capture of the RADIUS settings in the Checkpoint SmartDashboard.](_images/lii1564020998042.jpg) 7. Configure the following settings: * **radius\_user\_timeout**: 600 * **radius\_retrant\_num**: 2 * **radius\_send\_frames**: Select the check box. * **radius\_connection\_timeout**: 30 * **radius\_retrant\_timeout**: 60 * **radius\_ignore**: 0 8. Click **OK**. ## Configuring the RADIUS host To configure Check Point VPN for MFA, you must configure the RADIUS host. ### Steps 1. In the **Network Objects** toolbar, click the **Network Objects** tab (![the Network Objects tab.](_images/ijb1564020998915.jpg) ). 2. In the **Network Objects** tree, right-click **Nodes**, and then go to **Node → Host…** ![A screen capture of the Nodes cascade menu.](_images/bos1564020999413.jpg) 3. In the **Host Node** dialog box, in the **Host Node** navigation tree, click **General Properties**. 4. In the **Name** field, enter the RADIUS host name. 5. In the **IPv4 Address** field, enter the RADIUS password credential validator (PCV) IP address. ![A screen capture of the Host Node - General Properties window.](_images/trn1564021000026.jpg) 6. Click **OK**. ## Creating a UDP entry Create two UDP entries, one for the authentication port and one for the accounting port. ### Steps 1. In the **Network Objects** toolbar, click the **Services** tab (![A screen capture of the Services icon.](_images/adk1564021000907.jpg)). 2. In the **Network Objects** tree, right-click on **UDP** and select **New UDP…** ![A screen capture of the Network Objects tree.](_images/vpt1606212738737.jpg) 3. In the **UDP Service Properties - NEW-RADIUS** window, enter the following information: ![A screen capture of the UDP Service Properties window.](_images/pqo1564021001964.jpg) 1. In the **Name** field, enter a name for the UDP service. 2. In the **Port** field, enter the port number. The default port is 1812. | | | | - | ---------------------------------------------------------------------------- | | | The port number must match the one defined in your RADIUS PCV configuration. | 4. Click **OK**. 5. Repeat the process to create a UDP service for the RADIUS accounting port. | | | | - | ---------------------------------------------------------------------------------------------------------------------------- | | | The RADIUS accounting port number should be the next consecutive number to the port number used for the authentication port. | ## Creating the VPN RADIUS server To configure Check Point VPN for PingID MFA, you must create the VPN RADUS server. ### Steps 1. In the **Network Objects** toolbar, click the **Servers and OPSEC** tab (![A screen capture of the Servers and OPSEC icon.](_images/aqx1564021002800.jpg) ). 2. In the **Network Objects** tree, right-click on **Servers** and go to **New → RADIUS…​**. ![A screen capture of the Network Objects tree.](_images/hym1564021003293.jpg) The following window is displayed: ![A screen capture of the General tab in the RADIUS Server Properties window.](_images/zvc1564021004332.jpg) 3. On the **General** tab, enter the following information. 1. In the **Name** field, enter a RADIUS server name. 2. From the **Host** list, select the RADIUS host that you created previously. For more information, see [Configuring the RADIUS host](pid_configuring_radius_host.html). 3. From the **Service** list, select the RADIUS service that you created previously. For more information, see [Create a UDP Entry](pid_creating_udp_entry.html). 1. In the **Shared Secret** field, enter the shared secret. | | | | - | ------------------------------------------------------------------------- | | | The shared secret must match the one configured in the RADIUS server PCV. | 2. From the **Version** list, select **RADIUS Ver. 1.0 Compatible**. 3. From the **Protocol** list, select **PAP**. 4. Click the **Accounting** tab. ![A screen capture of the Accounting tab in the RADIUS Server Properties window.](_images/kjp1564021005618.jpg) 5. On the **Accounting** tab, enter the following information: 1. Select the **Enable IP Pool Management** check box. 2. From the **Service** drop-down menu, select the RADIUS accounting service you created earlier. For more information, see [Create a UDP Entry](pid_creating_udp_entry.html). 6. Click **OK**. ### Configuring a RADIUS user profile To configure Checkpoint VPN for PingID multi-factor authentication (MFA), you must configure a RADIUS user profile. #### Steps 1. In the **Network Objects** toolbar, click![A screen capture of the Users and Administrators icon.](_images/myl1564021007005.jpg). 2. In the **Network Objects** tree, expand **External User Profiles**. 3. Double-click the **generic**\* user profile. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | | If the generic\* user profile is not listed, right-click on **External User Profiles**, and select **New External User Profile → Match all users…**. | ![A screen capture of the Match All Users cascading menu.](_images/tky1564021007489.jpg) 4. In the **External User Profile Properties** window, from the navigation tree, click **Authentication**. ![A screen capture of the External User Profile Properties window.](_images/ufn1564021008046.jpg) 5. In the **Authentication** window, enter the following information: 1. From the **Authentication Scheme** list, select **RADIUS**. 2. From the **Select a RADIUS Server or Group of Servers:** list, select the RADIUS server that you created previously. For more information, see [Create the VPN RADIUS server](pid_creating_vpn_radius_server.html). 6. Click **OK**. 7. In the **Network Objects** tree, right-click **User Groups**, and select **New Group…**. ![A screen capture of the Group Properties window.](_images/fsq1564021008570.jpg) 8. In the **Group Properties - RADIUS\_USERS** window, enter the following information: 1. In the **Name** field, enter a name for the RADIUS group. 2. From the **Available Members** pane, select **generic**\*. Click **Add**. ##### Result: The generic member is added to the **Selected Members** list. 9. Click **OK**. ### Setting the participating gateways To configure Checkpoint VPN for PingID multi-factor authentication (MFA), you must set the participating gateways. #### Steps 1. In the **Checkpoint** toolbar, click the **IPSec VPN** tab. 2. In the left navigation pane, click **Communities**. ##### Result: The available communities are listed. 3. Double-click the **RemoteAccess** community. ![A screen capture of the Communities list, and the Remote Access Community Properties window.](_images/hlv1564021009987.jpg) 4. In the **Remote Access Community Properties** window, in the navigation tree, click **Participating Gateways**. 5. If your checkpoint VPN gateway does not appear in the **Participant Gateway** list, click **Add**, and then select your VPN Gateway. 6. In the **Remote Access Community Properties** tree, click **Participant User Groups**. ![A screen capture of the Participant User Groups window. A list of current Remote Access User Groups is shown with the New button to the right and the Add, Edit, and Remove buttons underneath.](_images/wee1564021010543.jpg) 7. If the user group you created is not listed, click **Add** and select the group from the list. 8. Click **OK**. ### Adding a RADIUS rule To configure Checkpoint VPN for PingID multi-factor authentication (MFA), you must add a RADIUS rule. #### Steps 1. In the **Checkpoint** toolbar, click the **Firewall** tab. 2. In the upper left-hand tree, click **Policy**. ##### Result: The rules of the existing policy are listed. 3. In the row for **Any**, in the **No.** column, right-click and select **Add Rule → Above**. ![A screen capture of the Add Rule menu cascade, accessed by right-clicking in the Number column and Any row.](_images/xws1564021011878.jpg) ##### Result: A new row is added to this policy. 4. In the new row, in the **Source** column, right-click **Any**, and then go to **Add Objects → Add Legacy User Access**. 5. In the **Legacy User Access** window, select the RADIUS user configured earlier. Click **OK**. For more information, see [Configure a RADIUS user profile](pid_configuring_radius_user_profile.html). ![A screen capture of the Legacy User Access window.](_images/xpx1564021012397.jpg) 6. In the **Destination** column, right-click **Any** and select **Network Object**. 7. In the **Add Object** window, select the VPN network configured by your network administrator. Click **OK**. ![A screen capture of the Add Object window.](_images/iep1564021012936.jpg) 8. In the **VPN** column, right-click **Any Traffic**, and then click **Edit Cell**. 9. In the **VPN Match Conditions** window, select **Only Connections Encrypted in Specific VPN Communities**. ![A screen capture of the VPN Match Conditions window.](_images/kyp1564021013472.jpg) 10. Add the RemoteAccess community to the rule. 1. In the **VPN Match Conditions** window, click **Add**. 2. Select **RemoteAccess**. Click **OK**. 3. To return to the main menu, click **OK**. 11. In the **Action** column of your RADIUS rule, right-click and select **Accept**. 12. In the **Track** column of your RADIUS rule, right-click **None**, and then select **Log**. ![A screen capture of the Policy list, showing the new RADIUS rule.](_images/ynd1564021014102.jpg) ## Defining a Mobile Access rule The Mobile Access rule triggers when the authentication process approves a user's credentials. It defines the landing page that the user sees when they sign on. ### Steps 1. In the **Checkpoint** toolbar, click the **Mobile Access** tab. 2. In the upper left-hand tree, click **Policy**. #### Result: The existing policy is listed. 3. Right-click the **No.** column and select **New Rule**. #### Result: A new row is added to the list of rules. 4. In the **Users** column, click the **Plus** icon (![The plus icon is a yellow square with a red plus sign inside it](_images/njl1564021015583.jpg)) and select the Radius Users group that you previously created. For more information, see [Configure a RADIUS user profile](pid_configuring_radius_user_profile.html). ![A screen capture of the Policy list on the Mobile Access tab.](_images/swn1564021016071.jpg) ## Committing the changes To apply the configuration, commit the changes. ### Steps 1. In the **Checkpoint** menu bar, click **Install Policy**. ![A screen capture of the Install Policy window. The window shows a list of installation targets with one gateway selected and an Advanced section. In the Advanced section, there are settings for Installation Mode and Revision Control. The Install on each selected gateway independently option is selected.](_images/obs1564021017434.jpg) 2. Ensure that the **Install on Each Selected Gateway Independently** option is selected, and then click **OK**. #### Result: The configuration is verified and installed. A message appears when the policy installation is complete. ## Signing on to the Check Point VPN for the end user When the PingID RADIUS password credential validator (PCV) multi-factor authentication (MFA) configuration is complete, sign on to your Check Point VPN. ### Steps 1. Open a browser and enter the URL of your Check Point external IP SSL VPN address, as configured in [Configure the RADIUS host](pid_configuring_radius_host.html). | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Enter the URL with a format of https\://*\*/sslvpn.For example, https\://PID\_New\_Connection/sslvpn or https\://10.8.2.13/sslvpn. | 2. Enter your organization's credentials and click **Sign In**. #### Result: You will receive a push notification to your mobile device. 3. To approve the authentication request, in the PingID mobile app, swipe the slider up. | | | | - | ----------------------------------------------------------------------- | | | This might differ according to the organization's approved MFA devices. | #### Result: PingID acknowledges the return notification from your mobile device, and access is granted.