topic Re: Technology Partner News: Okta MFA for Check Point in SASE and Remote Access

Technology Partner News: Okta MFA for Check Point

DeletedUser — Thu, 13 Sep 2018 19:56:18 GMT

Happy to say that Okta has an Okta-certified RADIUS app and posted the integration guide with Check Point on their website. A RADIUS integration is perhaps a small thing, but one thing notable about the integration is this authentication setting: Accept password and security token in the same login request. When MFA is required in the Okta policy and this is enabled, then a user must add a comma to the end of their password, followed by their second factor keyword (such as a One-Time-Password from their Okta Verify app).

This is helpful in some Check Point cases where we don't support RADIUS access-challenge requests following the initial access-request to the RADIUS server. When there is an access-challenge, then our software needs to handle this in an interactive exchange with the user like in this example from our Remote Access VPN client.

Not all of our clients support this.

Client	Supports Challenge-Response
Remote Access	Yes
Mobile Access	Yes
Captive Portal	Yes, in R80.20
SmartConsole	No
Gaia OS	No

For those cases where you want MFA and our software doesn't currently support access-challenge, then this is a convenient way to do MFA via adding the second factor in the initial access-request to the RADIUS server.

Re: Technology Partner News: Okta MFA for Check Point

PhoneBoy — Thu, 13 Sep 2018 21:59:50 GMT

Funny thing is I remember working with some folks at Okta on this some time ago.

Glad to see it's a formally supported/documented thing now

Re: Technology Partner News: Okta MFA for Check Point

DeletedUser — Thu, 13 Sep 2018 23:18:21 GMT

Somehow I knew you had a hand in this 😉 Thanks Dameon.

Re: Technology Partner News: Okta MFA for Check Point

Christopher_Ric — Tue, 29 Jan 2019 18:45:37 GMT

Has anyone been able to get this to work? I'm struggling with it. Any help would be greatly appreciated.

Re: Technology Partner News: Okta MFA for Check Point

DeletedUser — Tue, 29 Jan 2019 21:02:21 GMT

What problems are you running into? Anything unique about your configuration? thanks, bob

Re: Technology Partner News: Okta MFA for Check Point

Christopher_Ric — Tue, 29 Jan 2019 21:06:48 GMT

Just get unknown user in the CP logs with any credentials that I input. No

logs are generated on the Okta side unless I use an invalid user that is

not in Okta. Nothing unique as far as configuration.

Re: Technology Partner News: Okta MFA for Check Point

DeletedUser — Tue, 29 Jan 2019 21:27:35 GMT

Do you see the access-request in a tcpdump from CHKP to the Okta RADIUS agent? What CHKP client are you trying to login with?

Re: Technology Partner News: Okta MFA for Check Point

Christopher_Ric — Tue, 29 Jan 2019 21:47:00 GMT

Interesting discovery with the tcpdump. If I use a user account that is

local to the check point user database I see the radius request and of

course that fails because its not in Okta. However if I use an Okta

username, I see an ldap request and no radius...Using Version VPN E80.82

endpoint client.

Re: Technology Partner News: Okta MFA for Check Point

DeletedUser — Tue, 29 Jan 2019 22:26:39 GMT

That helps, so something in the CHKP configuration that needs to be tweaked. To be sure the CHKP-Okta piece works, you can always set RADIUS as the auth method in the user object where the user also exists in Okta. Not scalable, but some times nice to see something works 😉

To simplify things you may want to ignore RADIUS user group part of the Okta docs and check your External User Profile settings.

.............

6. Navigate to SECURITY POLICIES and select Access Control. This displays Access Tools VPN Communities. Click on VPN Communities. Double click to open the RemoteAccess community and add the gateway object.

7. Click Participant User Groups and accept the default All Users.
8. Click OK to save the settings.
9. The option to create an External User Profile (generic*) is only available using the legacy SmartConsole Client. To launch legacy SmartDashboard go under "Manage & Settings" and select the "Configure in SmartDashboard" for the Mobile Access option

10. In the lower left corner click on the Users object. Right click on External User profile and select New External User profile -> Match all users.

11. Click Authentication and select RADIIUS as the authentication scheme. Select the RADIUS server configured above, for example MyRADIUS.

Re: Technology Partner News: Okta MFA for Check Point

Christopher_Ric — Wed, 30 Jan 2019 12:21:51 GMT

9-11 has got me further...I'm seeing it hit Okta now, but for some reason

still fails. Checkpoint states radius servers not responding and okta

states authentication of user via radius: login failed. Not much detail.

Maybe I'll open a case with them and see what they have to say as well.

Re: Technology Partner News: Okta MFA for Check Point

Christopher_Ric — Wed, 30 Jan 2019 12:58:33 GMT

Finally got it working. For the heck of it I decided to try changing the

radius secret and then it worked...Not sure if they have limitations on

characters or what, but I made it simpler. Thanks for your assistance.

Re: Technology Partner News: Okta MFA for Check Point

KatiaCruz — Tue, 06 Oct 2020 18:43:02 GMT

What about SandBlast Agent as the client? Do we support Okta/MFA for our Endpoint Security solution?

In summary, I'm trying to understand if our FDE blade would support preboot MFA without requesting the user for their credentials again for OS authentication. It doesn’t need to be Okta if we have any other MFA support for this purpose.

Any ideas will be much appreciated! 🙂

Re: Technology Partner News: Okta MFA for Check Point

seanmc12 — Sun, 12 Nov 2023 21:19:11 GMT

Do you remember what set of instructions you used for this. I am using the instructions from OKTA and it is just not working. Not getting a prompt for MFA on my vpn client