cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Vladimir
Pearl

MFA with Google Authenticator

This may come in handy for small scale implementations where RSA SecurID is too expensive of an option to consider.

15 Replies
XBensemhoun
Silver

Re: MFA with Google Authenticator

This is a good thing ; thanks.

0 Kudos
Vladimir
Pearl

Re: MFA with Google Authenticator

You are welcome:)

Re: MFA with Google Authenticator

Excellent contribution. Thank you very much Vladimir!

Re: MFA with Google Authenticator

It's very interesting. Is there any way to integrate it with Active directory / LDAP?

Re: MFA with Google Authenticator

This is a very good and helpful documentation.

I will try it in a quiet minute in the LAB.

THX,

Heiko

0 Kudos
Vladimir
Pearl

Re: MFA with Google Authenticator

You are quite welcome.

I was kind-of hopeful that CP would provide native integration with 3rd party MFAs by now besides that of SecurID and/or not relying on sms.

Alas, we'll have to keep it on the wish list:)

0 Kudos

Re: MFA with Google Authenticator

Agreed on the 3rd party MFA option being out of the box for Checkpoint. Integrity of authentication systems is critical. Checkpoint is positioned in the best place on networks for MFA system security.

0 Kudos
Employee+
Employee+

Re: MFA with Google Authenticator

Vladimir,

this is very cool document. Looks like you tested solution with Endpoint Client, will this work with SNX?

I have same question as Claudio: can it be integrated with LDAP/AD instead of creating local account on Radius server?

Vladimir
Pearl

Re: MFA with Google Authenticator

Alex,

Off the top of my head, no reason it shouldn't, likely requiring you to append the generated pin code to the password.

As to integration with LDAP/AD, I am afraid it'll not work. The whole solution hinges on manipulating accounts local to RADIUS. If you are looking at something better integrated, I believe you are venturing into RSA SECURID category.

I've just checked and they seem to discounted their offerings to a much more reasonable rates:

RSA SecurID Access Editions 

Re: MFA with Google Authenticator

Excellent article. 

schalhoub

Re: MFA with Google Authenticator

Thanks for an excellent guide. 

Since FreeRADIUS 3.0 you need to add /3.0/ to the path of radius and PAM related commands.

Example from guide: "sudo nano /etc/freeradius/radiusd.conf"

should now be sudo nano /etc/freeradius/3.0/radiusd.conf

Same with PAM.

----------------

Related question.
I want to use Google Authenticator to add 2FA for remote access users when they connect with Check Point Mobile for Windows VPN client. Currently they log on with AD credentials only.

Could someone point me in the right direction to get there?

Re: MFA with Google Authenticator

I just noticed my question was already asked in previous comments. That's unfortunate if it doesn't work. The customer had a Cisco ASA using AnyConnect together with Microsoft MFA before they changed to CheckPoint and I was certain it should not be a biggie to make it work on CheckPoint since it was so simple on the ASA.. But Microsoft MFA doesn't run with CheckPoint without client certificates from what I understood so this is why I turned to the FreeRADIUS solution.. It's a small client so I don't think paying for RSA is an option. I have some explaining to do 🙂

0 Kudos
Vladimir
Pearl

Re: MFA with Google Authenticator

@Ilmo_Anttonen , you can most definitely make it work with Azure MFA using NPS  and NPS Extension for Azure MFA.

Please see the excellent article here for the non-vendor specific implementation: http://techgenix.com/azure-mfa-existing-vpn/ 

I probably was referring to the Google MFA in particular and even that has probably changed with time allowing for the integration with MS NPS (which is the MS free Radius service).

Regards,

Vladimir

Re: MFA with Google Authenticator

Ok! Many thanks I will check it. 

0 Kudos

Re: MFA with Google Authenticator

That is so wonderful.
0 Kudos