Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Debon27
Explorer
Jump to solution

Import CA certificate and use it for Multifactor Authentication.

Hi, I am wondering if possible to import our AD internal CA certificate in our Check Point devices, to use it for multifactor authentication for Remote Access VPN users. I have done this on Cisco ASA and FortiGates but not sure if possible in Check Point. I know that I could add a NPS server and send RADIUS requests from the Gateways to the NPS, but I do not want this scenario. I just need that the Gateways trust our internal CA, and check the users' username/password + certificate and allow connection if the users' certificates belong to the chain of trust. I do NOT want that the Gateways relegate the certificate authentication to an external machine. Thank you very much.

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin

I suggest you read the mentioned SK, and follow the guidance. In addition, download Remote Access Clients for Windows 32/64-bit E80.72 and higher Administration Guide and look it though, especially starting from page 64

View solution in original post

0 Kudos
4 Replies
_Val_
Admin
Admin

User certificate or device certificate? If latter, look into sk121173.

0 Kudos
Debon27
Explorer

After adding the CA certificate and checking that machine authentication feature is enabled, I supose that I also have to create a new profile for VPN Clients, setting username/password + certificate as usual, right? Just for confirmation, the requered steps are the following ones:

1- Check that machine authentication is enabled.

2- Import our Internal CA certificate in the SMS

3- Create a new Multifactor Profile for certificate as first factor, and user/pass as second factor (user and pass will be authenticated by LDAP server).

4- Install policy.

5- Create a new profile in the Check Point End Point Security client, selecting the new Profile.

 

After that, the client should sent certificate+user/pass to the Gateway, and te Gateway will perform the certificate authentication, while the LDAP server will continue in charge of user/pass authentication, right? Thank you very much for the help!

0 Kudos
_Val_
Admin
Admin

I suggest you read the mentioned SK, and follow the guidance. In addition, download Remote Access Clients for Windows 32/64-bit E80.72 and higher Administration Guide and look it though, especially starting from page 64

0 Kudos
Debon27
Explorer

Ah ok sorry, I was confused with the usual multifactor authentication profile method, but I am seeing that this is a new feature and most of things are enabled by default. Thank you very much.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events