CHECKPOINT MULTI-FACTOR AUTHENTICATION USING UPSSO

This document provides instructions to integrate the CHECKPOINT VPN with the UPSSO RADIUS server.

CHECKPOINT- UPSSO RADIUS NETWORK DIAGRAM

  1. User authenticated to the firewall using CHECKPOINT client software.
  2. CHECKPOINT sends an authentication request to the UPSSO Radius server.
  3. UPSSO Radius server forwards the authentication request to the IDP server.
  4. IDP server checks the authentication request with enterprise LDAP or UPSSO directory.
  5. IDP sends the multi-factor token to be configured methods, like Google authenticator, SMS, or Email.
  6. Radius receives authorization accept or reject method from the IDP server.
  7. UPSSO Radius server confirms the Authentication request to the target device.

ADD CHECKPOINT RADIUS CLIENT IN UPSSO PORTAL

  1. Login to UPSSO Portal
  2. Once login, go to Radius Client's section
  1. Click on the Add Radius Client Button
  2. Enter the device friendly name and IP address and secret for the device to authenticate with the RADIUS server—this secret used during the device radius configuration.

CONFIGURING CHECKPOINT ACCESS SERVER

  1. Login to checkpoint firewall by the URL https://<IP or Domain>:4344 with a administrator username and password
  1. Once logged in go to VPN tab and make sure VPN is enabled as per the below screenshot
  1. Click on users and objects and click on authentication servers
  1. Click on configure the link to add the Radius server. Enter the Details as per the portal.
  2. Configure Radius settings as per the below screenshot. In the Hostname or IP address field, enter the name of the UPPSO RADIUS server; by default, the port number is 1812.
  1. Click on Apply to save the changes
  2. Repeat the steps if you have a secondary server for high availability.
  3. Configure Remote access permissions as per below screenshot

LOGIN TO VPN USING UPSSO MFA

  1. Download and install checkpoint endpoint security client
  2. Open the VPN and click yes on the following prompt.
  1. Click next on the Site creation wizard
  2. Fill in the required IP address or domain name of the Check point firewall
  1. In the Authentication Method select username and password
  1. Click next and click on finish. Click Yes button to initiate connection
  1. In the username/Password enter the details which you will login to UPSSO portal
  1. Enter the OTP receive through email, SMS or Google Authenticator
  1. Once the credentials are validated you will get connected to the VPN.