topic Re: Import CA certificate and use it for Multifactor Authentication. in General Topics

Import CA certificate and use it for Multifactor Authentication.

Debon27 — Fri, 21 May 2021 09:46:05 GMT

Hi, I am wondering if possible to import our AD internal CA certificate in our Check Point devices, to use it for multifactor authentication for Remote Access VPN users. I have done this on Cisco ASA and FortiGates but not sure if possible in Check Point. I know that I could add a NPS server and send RADIUS requests from the Gateways to the NPS, but I do not want this scenario. I just need that the Gateways trust our internal CA, and check the users' username/password + certificate and allow connection if the users' certificates belong to the chain of trust. I do NOT want that the Gateways relegate the certificate authentication to an external machine. Thank you very much.

Re: Import CA certificate and use it for Multifactor Authentication.

_Val_ — Fri, 21 May 2021 10:15:36 GMT

User certificate or device certificate? If latter, look into sk121173.

Re: Import CA certificate and use it for Multifactor Authentication.

Debon27 — Fri, 21 May 2021 11:54:00 GMT

After adding the CA certificate and checking that machine authentication feature is enabled, I supose that I also have to create a new profile for VPN Clients, setting username/password + certificate as usual, right? Just for confirmation, the requered steps are the following ones:

1- Check that machine authentication is enabled.

2- Import our Internal CA certificate in the SMS

3- Create a new Multifactor Profile for certificate as first factor, and user/pass as second factor (user and pass will be authenticated by LDAP server).

4- Install policy.

5- Create a new profile in the Check Point End Point Security client, selecting the new Profile.

After that, the client should sent certificate+user/pass to the Gateway, and te Gateway will perform the certificate authentication, while the LDAP server will continue in charge of user/pass authentication, right? Thank you very much for the help!

Re: Import CA certificate and use it for Multifactor Authentication.

_Val_ — Fri, 21 May 2021 11:58:06 GMT

I suggest you read the mentioned SK, and follow the guidance. In addition, download Remote Access Clients for Windows 32/64-bit E80.72 and higher Administration Guide and look it though, especially starting from page 64

Re: Import CA certificate and use it for Multifactor Authentication.

Debon27 — Fri, 21 May 2021 12:07:05 GMT

Ah ok sorry, I was confused with the usual multifactor authentication profile method, but I am seeing that this is a new feature and most of things are enabled by default. Thank you very much.