Re: MFA with Google Authenticator

Vladimir · ‎2018-02-08

This may come in handy for small scale implementations where RSA SecurID is too expensive of an option to consider.

rhapirou · ‎2018-02-09

This is a good thing ; thanks.

Cybersecurity Evangelist, CISSP, CCSA-CCAS-CCCS-CCTA

Vladimir · ‎2018-02-09

You are welcome:)

MikeB · ‎2018-02-15

Excellent contribution. Thank you very much Vladimir!

Claudio_Bolcato · ‎2018-05-16

It's very interesting. Is there any way to integrate it with Active directory / LDAP?

HeikoAnkenbrand · ‎2018-05-25

This is a very good and helpful documentation.

I will try it in a quiet minute in the LAB.

THX,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Vladimir · ‎2018-05-25

You are quite welcome.

I was kind-of hopeful that CP would provide native integration with 3rd party MFAs by now besides that of SecurID and/or not relying on sms.

Alas, we'll have to keep it on the wish list:)

Daniel_Moore · ‎2018-06-14

Agreed on the 3rd party MFA option being out of the box for Checkpoint. Integrity of authentication systems is critical. Checkpoint is positioned in the best place on networks for MFA system security.

Alex_Rozhko · ‎2018-06-22

Vladimir,

this is very cool document. Looks like you tested solution with Endpoint Client, will this work with SNX?

I have same question as Claudio: can it be integrated with LDAP/AD instead of creating local account on Radius server?

Vladimir · ‎2018-06-22

Alex,

Off the top of my head, no reason it shouldn't, likely requiring you to append the generated pin code to the password.

As to integration with LDAP/AD, I am afraid it'll not work. The whole solution hinges on manipulating accounts local to RADIUS. If you are looking at something better integrated, I believe you are venturing into RSA SECURID category.

I've just checked and they seem to discounted their offerings to a much more reasonable rates:

RSA SecurID Access Editions

SChalhoub · ‎2019-05-08

Excellent article.

schalhoub

Ilmo_Anttonen · ‎2019-06-12

Thanks for an excellent guide.

Since FreeRADIUS 3.0 you need to add /3.0/ to the path of radius and PAM related commands.

Example from guide: "sudo nano /etc/freeradius/radiusd.conf"

should now be sudo nano /etc/freeradius/3.0/radiusd.conf

Same with PAM.

----------------

Related question.
I want to use Google Authenticator to add 2FA for remote access users when they connect with Check Point Mobile for Windows VPN client. Currently they log on with AD credentials only.

Could someone point me in the right direction to get there?

Ilmo_Anttonen · ‎2019-06-12

I just noticed my question was already asked in previous comments. That's unfortunate if it doesn't work. The customer had a Cisco ASA using AnyConnect together with Microsoft MFA before they changed to CheckPoint and I was certain it should not be a biggie to make it work on CheckPoint since it was so simple on the ASA.. But Microsoft MFA doesn't run with CheckPoint without client certificates from what I understood so this is why I turned to the FreeRADIUS solution.. It's a small client so I don't think paying for RSA is an option. I have some explaining to do 🙂

Vladimir · ‎2019-06-12

@Ilmo_Anttonen , you can most definitely make it work with Azure MFA using NPS and NPS Extension for Azure MFA.

Please see the excellent article here for the non-vendor specific implementation: http://techgenix.com/azure-mfa-existing-vpn/

I probably was referring to the Google MFA in particular and even that has probably changed with time allowing for the integration with MS NPS (which is the MS free Radius service).

Regards,

Vladimir

Ilmo_Anttonen · ‎2019-06-13

Ok! Many thanks I will check it.

Jacky_Chen · ‎2019-07-15

That is so wonderful.

Alex- · ‎2020-01-31

This is a great guide and here is an important update for those who wish to use it.

If you use the latest LTS release of Ubuntu server (18.0.4) , you will have FreeRadius 3.0, and there is an issue in the PAM implementation, namely it's missing a symbolic link. After a bit of troubleshooting and Googling, I stumbled upon this:

https://enterpriseadmins.org/blog/virtualization/build-your-own-two-factor-authentication-server/

The solution described to manually add the symbolic link via the mentioned command and restart the FreeRadius service solved the issue and I have now RADIUS working on my new Ubuntu Server.

sudo ln -sf /etc/freeradius/3.0/mods-available/pam /etc/freeradius/3.0/mods-enabled/pam

This doesn't survive reboot, so depending of your implementation you will need to re-enter that command after each restart or find a way to automate it.

MartinTzvetanov · ‎2020-02-25

Hello @Vladimir ,

What do you mean by "small scale implementations" ? How many users?

I have a customer with ~900 vpn users and I want to understand this solution will handle this.

Thanks in advance.

Vladimir · ‎2020-02-25

Typically, organizations of that size invest in a better integrated platforms for MFA.

That being said, there is no reason why it would not work for 900 users (please do read the comments of users pointing out changes in the paths I have described that reflect new version of Free RADIUS).

-Vladimir

Sandeep_sharma · ‎2020-05-05

i have implemented MFA with Google Authenticator 1200 domain users & it's working perfectly.

SNX and endpoint security vpn both working perfectly!

Radius server setting in checkpoint

MFA setting

Setup is FREERADIUS installed with Google authenticator following below link

https://www.petenetlive.com/KB/Article/0001256

Radius server auth logs

Itsecurity_Itse · ‎2020-06-21

Hi Sandeep,

We also trying to integrate the G-Auth with Checkpoint but not successful after many attempts. Can you please help me with checkpoint configuration related to G-Auth and FreeRadius server configuration. In my case we are using RHEL OS for Free Radius.

Thanks.

Saurabh

Praveena · ‎2023-10-04

Is that possible to implement the same solution using ubuntu 22.04/23.04 version. I tried the same steps but getting error.

Fabian_Del_Camp · ‎2023-10-19

Hello Praveena:

I believe I have the same problem. Do you solve the problem?

Regards,

Fabian

PointOfChecking · ‎2024-09-16

Great Work Vladimir,

Just checking whether this document is still relevant in 2024 on R81.20?

Has Checkpoint finally made native support for Google Authenticator?

If not, does the document still work for the latest version of Ubuntu and it's RADIUS server?

Also, I can't seem to understand how this syncs with LDAP to AD.

Can I use this without creating local IDs?, as I purely want to use it for MFA for VPN users using Checkpoint Mobile.

Thanks!

PhoneBoy · ‎2024-09-16

No "Native" support for Google Authenticator and this document should still apply.

PointOfChecking · ‎2024-09-17

Thanks PhoneBoy,

How about linking with AD LDAP and using purely for 2FA for Remote Access VPN?

Vladimir · ‎2024-09-17

According to the post above by @Sandeep_sharma, it should work in with AD LDAP as well. Please see his note about using updated FreeRADIUS installation instructions and note his configuration for Check Point RADIUS in screenshots.

This said, enough people asking about it for me to update my document for newer versions of Ubuntu and FreeRADIUS. You should see it in about a months. I will try to do that and, perhaps, include integration with Windows NPM server.

Vladimir

PointOfChecking · ‎2024-09-18

Kudos to you! Champion by name Champion by nature!

Thank you for that. I'll hold off on this project until your document is updated 😅

PointOfChecking · ‎2024-09-23

Hey,

Following the PDF guide, but not able to do the radtest.

I'm getting the error:

(0) No reply from server for ID 128 socket 3

I notice I am receiving a strange IP for NAS-IP :

NAS-IP-Address = 127.0.1.1

BTW, I was unable to find the /etc/network/interfaces file, so wasn't able to do the first part (not sure if related):

"Configuring Network Settings for Ubuntu Server"

I'm running below version:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
Codename: noble

Thanks.

Vladimir · ‎2024-09-23

As was mentioned earlier in this thread, later versions of Ubuntu and FreeRadius require different installation and configuration steps. I will post the updated document or the link to one using 24.04.1 LTS and 3.2.6. FreeRadius.

Are you a member of CheckMates?

MFA with Google Authenticator