This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Debon27
Explorer
‎2021-05-21 02:46 AM
Jump to solution

Import CA certificate and use it for Multifactor Authentication.

Hi, I am wondering if possible to import our AD internal CA certificate in our Check Point devices, to use it for multifactor authentication for Remote Access VPN users. I have done this on Cisco ASA and FortiGates but not sure if possible in Check Point. I know that I could add a NPS server and send RADIUS requests from the Gateways to the NPS, but I do not want this scenario. I just need that the Gateways trust our internal CA, and check the users' username/password + certificate and allow connection if the users' certificates belong to the chain of trust. I do NOT want that the Gateways relegate the certificate authentication to an external machine. Thank you very much.

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2021-05-21 04:58 AM
In response to Debon27
Jump to solution

I suggest you read the mentioned SK, and follow the guidance. In addition, download Remote Access Clients for Windows 32/64-bit E80.72 and higher Administration Guide and look it though, especially starting from page 64

View solution in original post

0 Kudos
4 Replies
_Val_
Admin
Admin
‎2021-05-21 03:09 AM
Jump to solution

User certificate or device certificate? If latter, look into sk121173.

0 Kudos
Debon27
Explorer
‎2021-05-21 04:52 AM
In response to _Val_
Jump to solution

After adding the CA certificate and checking that machine authentication feature is enabled, I supose that I also have to create a new profile for VPN Clients, setting username/password + certificate as usual, right? Just for confirmation, the requered steps are the following ones:

1- Check that machine authentication is enabled.

2- Import our Internal CA certificate in the SMS

3- Create a new Multifactor Profile for certificate as first factor, and user/pass as second factor (user and pass will be authenticated by LDAP server).

4- Install policy.

5- Create a new profile in the Check Point End Point Security client, selecting the new Profile.

 

After that, the client should sent certificate+user/pass to the Gateway, and te Gateway will perform the certificate authentication, while the LDAP server will continue in charge of user/pass authentication, right? Thank you very much for the help!

0 Kudos
_Val_
Admin
Admin
‎2021-05-21 04:58 AM
In response to Debon27
Jump to solution

I suggest you read the mentioned SK, and follow the guidance. In addition, download Remote Access Clients for Windows 32/64-bit E80.72 and higher Administration Guide and look it though, especially starting from page 64

0 Kudos
Debon27
Explorer
‎2021-05-21 05:07 AM
In response to _Val_
Jump to solution

Ah ok sorry, I was confused with the usual multifactor authentication profile method, but I am seeing that this is a new feature and most of things are enabled by default. Thank you very much.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events