PingID Administration Guide

Configuring Check Point VPN for PingID multi-factor authentication

This procedure details the configuration required in your Check Point VPN for integrating PingID multi-factor authentication (MFA).

Prerequisites

  • You have installed Check Point VPN, including Check Point SmartConsole and SmartDomain Manager.

  • You have configured the necessary settings in PingOne and PingFederate. For more information, see:

    • Configuring PingOne for Multi-Factor VPN Authentication

    • Configuring PingFederate for Multi-Factor VPN Authentication

About this task

The following video describes the Check Point VPN process.

The following image represents a general flow. Actual configuration will vary according to individual company infrastructure considerations and policies.

A flow chart depicting the relationship between Checkpoint VPN, PingFederate, and PingID.

Processing steps

  1. When a user opens their IPSec or SSL VPN login window and enters a user name and password, their details are sent to the RADIUS Server on PingFederate through the VPN.

  2. PingFederate authenticates the user’s credentials against the LDAP Server as first-factor authentication.

  3. After LDAP authentication approval, the RADIUS server initiates second-factor authentication with PingID. If authentication is denied, the user’s VPN window displays an error message.

Configuring Global Properties

To configure Check Point VPN for PingID multi-factor authentication (MFA), you must configure Global Properties.

Steps

  1. From the Windows Start menu, open the Checkpoint SmartDashboard.

  2. Enter your username and password and click Login.

  3. In the Check Point SmartDashboard, in the Checkpoint menu bar, click the Menu icon (A screen capture of the Menu icon in the Check Point SmartDashboard. ). Go to Policy → Global Properties.

  4. Click Smart Dashboard Customization.

  5. Click Configure.

  6. Open the configuration tree, and go to FireWall-1 → Authentication → RADIUS. A screen capture of the RADIUS settings in the Checkpoint SmartDashboard.

  7. Configure the following settings:

    • radius_user_timeout: 600

    • radius_retrant_num: 2

    • radius_send_frames: Select the check box.

    • radius_connection_timeout: 30

    • radius_retrant_timeout: 60

    • radius_ignore: 0

  8. Click OK.

Configuring the RADIUS host

To configure Check Point VPN for MFA, you must configure the RADIUS host.

Steps

  1. In the Network Objects toolbar, click the Network Objects tab (the Network Objects tab. ).

  2. In the Network Objects tree, right-click Nodes, and then go to Node → Host… A screen capture of the Nodes cascade menu.

  3. In the Host Node dialog box, in the Host Node navigation tree, click General Properties.

  4. In the Name field, enter the RADIUS host name.

  5. In the IPv4 Address field, enter the RADIUS password credential validator (PCV) IP address. A screen capture of the Host Node - General Properties window.

  6. Click OK.

Creating a UDP entry

Create two UDP entries, one for the authentication port and one for the accounting port.

Steps

  1. In the Network Objects toolbar, click the Services tab (A screen capture of the Services icon.).

  2. In the Network Objects tree, right-click on UDP and select New UDP…

    A screen capture of the Network Objects tree.

  3. In the UDP Service Properties - NEW-RADIUS window, enter the following information:

    A screen capture of the UDP Service Properties window.

    1. In the Name field, enter a name for the UDP service.

    2. In the Port field, enter the port number.

      The default port is 1812.

      The port number must match the one defined in your RADIUS PCV configuration.

  4. Click OK.

  5. Repeat the process to create a UDP service for the RADIUS accounting port.

    The RADIUS accounting port number should be the next consecutive number to the port number used for the authentication port.

Creating the VPN RADIUS server

To configure Check Point VPN for PingID MFA, you must create the VPN RADUS server.

Steps

  1. In the Network Objects toolbar, click the Servers and OPSEC tab (A screen capture of the Servers and OPSEC icon. ).

  2. In the Network Objects tree, right-click on Servers and go to New → RADIUS…​.

    A screen capture of the Network Objects tree.

    The following window is displayed:

    A screen capture of the General tab in the RADIUS Server Properties window.

  3. On the General tab, enter the following information.

    1. In the Name field, enter a RADIUS server name.

    2. From the Host list, select the RADIUS host that you created previously.

      For more information, see Configuring the RADIUS host.

    3. From the Service list, select the RADIUS service that you created previously.

    For more information, see Create a UDP Entry.

    1. In the Shared Secret field, enter the shared secret.

      The shared secret must match the one configured in the RADIUS server PCV.

    2. From the Version list, select RADIUS Ver. 1.0 Compatible.

    3. From the Protocol list, select PAP.

  4. Click the Accounting tab. A screen capture of the Accounting tab in the RADIUS Server Properties window.

  5. On the Accounting tab, enter the following information:

    1. Select the Enable IP Pool Management check box.

    2. From the Service drop-down menu, select the RADIUS accounting service you created earlier.

      For more information, see Create a UDP Entry.

  6. Click OK.

Configuring a RADIUS user profile

To configure Checkpoint VPN for PingID multi-factor authentication (MFA), you must configure a RADIUS user profile.

Steps

  1. In the Network Objects toolbar, clickA screen capture of the Users and Administrators icon..

  2. In the Network Objects tree, expand External User Profiles.

  3. Double-click the generic* user profile.

    If the generic* user profile is not listed, right-click on External User Profiles, and select New External User Profile → Match all users….

    A screen capture of the Match All Users cascading menu.

  4. In the External User Profile Properties window, from the navigation tree, click Authentication.

    A screen capture of the External User Profile Properties window.

  5. In the Authentication window, enter the following information:

    1. From the Authentication Scheme list, select RADIUS.

    2. From the Select a RADIUS Server or Group of Servers: list, select the RADIUS server that you created previously.

      For more information, see Create the VPN RADIUS server.

  6. Click OK.

  7. In the Network Objects tree, right-click User Groups, and select New Group….

    A screen capture of the Group Properties window.

  8. In the Group Properties - RADIUS_USERS window, enter the following information:

    1. In the Name field, enter a name for the RADIUS group.

    2. From the Available Members pane, select generic*. Click Add.

      Result:

      The generic member is added to the Selected Members list.

  9. Click OK.

Setting the participating gateways

To configure Checkpoint VPN for PingID multi-factor authentication (MFA), you must set the participating gateways.

Steps

  1. In the Checkpoint toolbar, click the IPSec VPN tab.

  2. In the left navigation pane, click Communities.

    Result:

    The available communities are listed.

  3. Double-click the RemoteAccess community.

    A screen capture of the Communities list, and the Remote Access Community Properties window.

  4. In the Remote Access Community Properties window, in the navigation tree, click Participating Gateways.

  5. If your checkpoint VPN gateway does not appear in the Participant Gateway list, click Add, and then select your VPN Gateway.

  6. In the Remote Access Community Properties tree, click Participant User Groups. A screen capture of the Participant User Groups window. A list of current Remote Access User Groups is shown with the New button to the right and the Add, Edit, and Remove buttons underneath.

  7. If the user group you created is not listed, click Add and select the group from the list.

  8. Click OK.

Adding a RADIUS rule

To configure Checkpoint VPN for PingID multi-factor authentication (MFA), you must add a RADIUS rule.

Steps

  1. In the Checkpoint toolbar, click the Firewall tab.

  2. In the upper left-hand tree, click Policy.

    Result:

    The rules of the existing policy are listed.

  3. In the row for Any, in the No. column, right-click and select Add Rule → Above.

    A screen capture of the Add Rule menu cascade, accessed by right-clicking in the Number column and Any row.
    Result:

    A new row is added to this policy.

  4. In the new row, in the Source column, right-click Any, and then go to Add Objects → Add Legacy User Access.

  5. In the Legacy User Access window, select the RADIUS user configured earlier. Click OK.

    For more information, see Configure a RADIUS user profile.

    A screen capture of the Legacy User Access window.

  6. In the Destination column, right-click Any and select Network Object.

  7. In the Add Object window, select the VPN network configured by your network administrator. Click OK.

    A screen capture of the Add Object window.

  8. In the VPN column, right-click Any Traffic, and then click Edit Cell.

  9. In the VPN Match Conditions window, select Only Connections Encrypted in Specific VPN Communities.

    A screen capture of the VPN Match Conditions window.

  10. Add the RemoteAccess community to the rule.

    1. In the VPN Match Conditions window, click Add.

    2. Select RemoteAccess. Click OK.

    3. To return to the main menu, click OK.

  11. In the Action column of your RADIUS rule, right-click and select Accept.

  12. In the Track column of your RADIUS rule, right-click None, and then select Log.

    A screen capture of the Policy list, showing the new RADIUS rule.

Defining a Mobile Access rule

The Mobile Access rule triggers when the authentication process approves a user’s credentials. It defines the landing page that the user sees when they sign on.

Steps

  1. In the Checkpoint toolbar, click the Mobile Access tab.

  2. In the upper left-hand tree, click Policy.

    Result:

    The existing policy is listed.

  3. Right-click the No. column and select New Rule.

    Result:

    A new row is added to the list of rules.

  4. In the Users column, click the Plus icon (The plus icon is a yellow square with a red plus sign inside it) and select the Radius Users group that you previously created.

    For more information, see Configure a RADIUS user profile.

    A screen capture of the Policy list on the Mobile Access tab.

Committing the changes

To apply the configuration, commit the changes.

Steps

  1. In the Checkpoint menu bar, click Install Policy.

    A screen capture of the Install Policy window. The window shows a list of installation targets with one gateway selected and an Advanced section. In the Advanced section, there are settings for Installation Mode and Revision Control. The Install on each selected gateway independently option is selected.

  2. Ensure that the Install on Each Selected Gateway Independently option is selected, and then click OK.

    Result:

    The configuration is verified and installed. A message appears when the policy installation is complete.

Signing on to the Check Point VPN for the end user

When the PingID RADIUS password credential validator (PCV) multi-factor authentication (MFA) configuration is complete, sign on to your Check Point VPN.

Steps

  1. Open a browser and enter the URL of your Check Point external IP SSL VPN address, as configured in Configure the RADIUS host.

    Enter the URL with a format of https://<IP address or Check Point Hostname>/sslvpn.

    For example, https://PID_New_Connection/sslvpn or https://10.8.2.13/sslvpn.

  2. Enter your organization’s credentials and click Sign In.

    Result:

    You will receive a push notification to your mobile device.

  3. To approve the authentication request, in the PingID mobile app, swipe the slider up.

    This might differ according to the organization’s approved MFA devices.

    Result:

    PingID acknowledges the return notification from your mobile device, and access is granted.