Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

MFA with Google Authenticator

This may come in handy for small scale implementations where RSA SecurID is too expensive of an option to consider.

(1)
32 Replies
XBensemhoun
Employee
Employee

This is a good thing ; thanks.

Information Security enthusiast, CISSP, CCSP
0 Kudos
Vladimir
Champion
Champion

You are welcome:)

MikeB
Advisor

Excellent contribution. Thank you very much Vladimir!

Claudio_Bolcato
Contributor

It's very interesting. Is there any way to integrate it with Active directory / LDAP?

HeikoAnkenbrand
Champion Champion
Champion

This is a very good and helpful documentation.

I will try it in a quiet minute in the LAB.

THX,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Vladimir
Champion
Champion

You are quite welcome.

I was kind-of hopeful that CP would provide native integration with 3rd party MFAs by now besides that of SecurID and/or not relying on sms.

Alas, we'll have to keep it on the wish list:)

0 Kudos
Daniel_Moore
Contributor

Agreed on the 3rd party MFA option being out of the box for Checkpoint. Integrity of authentication systems is critical. Checkpoint is positioned in the best place on networks for MFA system security.

0 Kudos
Alex_Rozhko
Employee
Employee

Vladimir,

this is very cool document. Looks like you tested solution with Endpoint Client, will this work with SNX?

I have same question as Claudio: can it be integrated with LDAP/AD instead of creating local account on Radius server?

Vladimir
Champion
Champion

Alex,

Off the top of my head, no reason it shouldn't, likely requiring you to append the generated pin code to the password.

As to integration with LDAP/AD, I am afraid it'll not work. The whole solution hinges on manipulating accounts local to RADIUS. If you are looking at something better integrated, I believe you are venturing into RSA SECURID category.

I've just checked and they seem to discounted their offerings to a much more reasonable rates:

RSA SecurID Access Editions 

SChalhoub
Participant

Excellent article. 

schalhoub
Ilmo_Anttonen
Collaborator

Thanks for an excellent guide. 

Since FreeRADIUS 3.0 you need to add /3.0/ to the path of radius and PAM related commands.

Example from guide: "sudo nano /etc/freeradius/radiusd.conf"

should now be sudo nano /etc/freeradius/3.0/radiusd.conf

Same with PAM.

----------------

Related question.
I want to use Google Authenticator to add 2FA for remote access users when they connect with Check Point Mobile for Windows VPN client. Currently they log on with AD credentials only.

Could someone point me in the right direction to get there?

Ilmo_Anttonen
Collaborator

I just noticed my question was already asked in previous comments. That's unfortunate if it doesn't work. The customer had a Cisco ASA using AnyConnect together with Microsoft MFA before they changed to CheckPoint and I was certain it should not be a biggie to make it work on CheckPoint since it was so simple on the ASA.. But Microsoft MFA doesn't run with CheckPoint without client certificates from what I understood so this is why I turned to the FreeRADIUS solution.. It's a small client so I don't think paying for RSA is an option. I have some explaining to do 🙂

0 Kudos
Vladimir
Champion
Champion

@Ilmo_Anttonen , you can most definitely make it work with Azure MFA using NPS  and NPS Extension for Azure MFA.

Please see the excellent article here for the non-vendor specific implementation: http://techgenix.com/azure-mfa-existing-vpn/ 

I probably was referring to the Google MFA in particular and even that has probably changed with time allowing for the integration with MS NPS (which is the MS free Radius service).

Regards,

Vladimir

Ilmo_Anttonen
Collaborator

Ok! Many thanks I will check it. 

0 Kudos
Jacky_Chen
Participant

That is so wonderful.
0 Kudos
Alex-
Leader Leader
Leader

This is a great guide and here is an important update for those who wish to use it.

If you use the latest LTS release of Ubuntu server (18.0.4) , you will have FreeRadius 3.0, and there is an issue in the PAM implementation, namely it's missing a symbolic link. After a bit of troubleshooting and Googling, I stumbled upon this:

 

https://enterpriseadmins.org/blog/virtualization/build-your-own-two-factor-authentication-server/

 

The solution described to manually add the symbolic link via the mentioned command and restart the FreeRadius service solved the issue and I have now RADIUS working on my new Ubuntu Server.

sudo ln -sf /etc/freeradius/3.0/mods-available/pam /etc/freeradius/3.0/mods-enabled/pam

 

This doesn't survive reboot, so depending of your implementation you will need to re-enter that command after each restart or find a way to automate it. 

MartinTzvetanov
Advisor

Hello @Vladimir ,

 

What do you mean by "small scale implementations" ? How many users? 

 

I have a customer with ~900 vpn users and I want to understand this solution will handle this.

 

Thanks in advance.

0 Kudos
Vladimir
Champion
Champion

Typically, organizations of that size invest in a better integrated platforms for MFA.

That being said, there is no reason why it would not work for 900 users (please do read the comments of users pointing out changes in the paths I have described that reflect new version of Free RADIUS).

-Vladimir

0 Kudos
Sandeep_sharma
Explorer

 

i have implemented MFA with Google Authenticator 1200 domain users & it's working perfectly.  

SNX and endpoint security vpn both working perfectly!

Radius server setting in checkpoint 

 radius-setting.jpg

 

MFA setting

mfa-setting.JPG

 

user-directory.JPG 

Setup is FREERADIUS installed with Google authenticator following below link

https://www.petenetlive.com/KB/Article/0001256 

 

 vpn.JPG

Radius server auth logs

auth.JPG

 

 

(1)
Itsecurity_Itse
Explorer

Hi Sandeep,

We also trying to integrate the G-Auth with Checkpoint but not successful after many attempts. Can you please help me with checkpoint configuration related to G-Auth and FreeRadius server configuration. In my case we are using RHEL OS for Free Radius.

Thanks.

Saurabh

0 Kudos
Praveena
Explorer

Is that possible to implement the same solution using ubuntu 22.04/23.04 version. I tried the same steps but getting error. 

0 Kudos
Fabian_Del_Camp
Explorer

Hello Praveena:

I believe I have the same problem. Do you solve the problem?

Regards,

Fabian

0 Kudos
PointOfChecking
Collaborator

Great Work Vladimir,

 

Just checking whether this document is still relevant in 2024 on R81.20?

Has Checkpoint finally made native support for Google Authenticator?

If not, does the document still work for the latest version of Ubuntu and it's RADIUS server?

 

Also, I can't seem to understand how this syncs with LDAP to AD.

Can I use this without creating local IDs?, as I purely want to use it for MFA for VPN users using Checkpoint Mobile.

 

Thanks!

 

0 Kudos
PhoneBoy
Admin
Admin

No "Native" support for Google Authenticator and this document should still apply.

0 Kudos
PointOfChecking
Collaborator

Thanks PhoneBoy,

 

How about linking with AD LDAP and using purely for 2FA for Remote Access VPN?

0 Kudos
Vladimir
Champion
Champion

According to the post above by @Sandeep_sharma, it should work in with AD LDAP as well. Please see his note about using updated FreeRADIUS installation instructions and note his configuration for Check Point RADIUS in screenshots.

This said, enough people asking about it for me to update my document for newer versions of Ubuntu and FreeRADIUS. You should see it in about a months. I will try to do that and, perhaps, include integration with Windows NPM server.

Vladimir

(1)
PointOfChecking
Collaborator

Kudos to you!  Champion by name Champion by nature!

Thank you for that.  I'll hold off on this project until your document is updated 😅

0 Kudos
PointOfChecking
Collaborator

Hey,

 

Following the PDF guide, but not able to do the radtest.

I'm getting the error:

(0) No reply from server for ID 128 socket 3

I notice I am receiving a strange IP for NAS-IP :

NAS-IP-Address = 127.0.1.1

 

BTW, I was unable to find the /etc/network/interfaces file, so wasn't able to do the first part (not sure if related):

"Configuring Network Settings for Ubuntu Server"

I'm running below version:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
Codename: noble

 

Thanks.

 

0 Kudos
Vladimir
Champion
Champion

As was mentioned earlier in this thread, later versions of Ubuntu and FreeRadius require different installation and configuration steps. I will post the updated document or the link to one using 24.04.1 LTS and 3.2.6. FreeRadius.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events