Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Champion
Champion

MFA with Google Authenticator

This may come in handy for small scale implementations where RSA SecurID is too expensive of an option to consider.

20 Replies
Highlighted
Advisor

This is a good thing ; thanks.

0 Kudos
Highlighted
Champion
Champion

You are welcome:)

Highlighted
Advisor

Excellent contribution. Thank you very much Vladimir!

Highlighted
Contributor

It's very interesting. Is there any way to integrate it with Active directory / LDAP?

Highlighted

This is a very good and helpful documentation.

I will try it in a quiet minute in the LAB.

THX,

Heiko

0 Kudos
Highlighted
Champion
Champion

You are quite welcome.

I was kind-of hopeful that CP would provide native integration with 3rd party MFAs by now besides that of SecurID and/or not relying on sms.

Alas, we'll have to keep it on the wish list:)

0 Kudos
Highlighted
Contributor

Agreed on the 3rd party MFA option being out of the box for Checkpoint. Integrity of authentication systems is critical. Checkpoint is positioned in the best place on networks for MFA system security.

0 Kudos
Highlighted
Employee+
Employee+

Vladimir,

this is very cool document. Looks like you tested solution with Endpoint Client, will this work with SNX?

I have same question as Claudio: can it be integrated with LDAP/AD instead of creating local account on Radius server?

Highlighted
Champion
Champion

Alex,

Off the top of my head, no reason it shouldn't, likely requiring you to append the generated pin code to the password.

As to integration with LDAP/AD, I am afraid it'll not work. The whole solution hinges on manipulating accounts local to RADIUS. If you are looking at something better integrated, I believe you are venturing into RSA SECURID category.

I've just checked and they seem to discounted their offerings to a much more reasonable rates:

RSA SecurID Access Editions 

Highlighted
Participant

Excellent article. 

schalhoub
Highlighted
Collaborator

Thanks for an excellent guide. 

Since FreeRADIUS 3.0 you need to add /3.0/ to the path of radius and PAM related commands.

Example from guide: "sudo nano /etc/freeradius/radiusd.conf"

should now be sudo nano /etc/freeradius/3.0/radiusd.conf

Same with PAM.

----------------

Related question.
I want to use Google Authenticator to add 2FA for remote access users when they connect with Check Point Mobile for Windows VPN client. Currently they log on with AD credentials only.

Could someone point me in the right direction to get there?

Highlighted
Collaborator

I just noticed my question was already asked in previous comments. That's unfortunate if it doesn't work. The customer had a Cisco ASA using AnyConnect together with Microsoft MFA before they changed to CheckPoint and I was certain it should not be a biggie to make it work on CheckPoint since it was so simple on the ASA.. But Microsoft MFA doesn't run with CheckPoint without client certificates from what I understood so this is why I turned to the FreeRADIUS solution.. It's a small client so I don't think paying for RSA is an option. I have some explaining to do 🙂

0 Kudos
Highlighted
Champion
Champion

@Ilmo_Anttonen , you can most definitely make it work with Azure MFA using NPS  and NPS Extension for Azure MFA.

Please see the excellent article here for the non-vendor specific implementation: http://techgenix.com/azure-mfa-existing-vpn/ 

I probably was referring to the Google MFA in particular and even that has probably changed with time allowing for the integration with MS NPS (which is the MS free Radius service).

Regards,

Vladimir

Highlighted
Collaborator

Ok! Many thanks I will check it. 

0 Kudos
Highlighted
Participant

That is so wonderful.
0 Kudos
Highlighted
Advisor

This is a great guide and here is an important update for those who wish to use it.

If you use the latest LTS release of Ubuntu server (18.0.4) , you will have FreeRadius 3.0, and there is an issue in the PAM implementation, namely it's missing a symbolic link. After a bit of troubleshooting and Googling, I stumbled upon this:

 

https://enterpriseadmins.org/blog/virtualization/build-your-own-two-factor-authentication-server/

 

The solution described to manually add the symbolic link via the mentioned command and restart the FreeRadius service solved the issue and I have now RADIUS working on my new Ubuntu Server.

sudo ln -sf /etc/freeradius/3.0/mods-available/pam /etc/freeradius/3.0/mods-enabled/pam

 

This doesn't survive reboot, so depending of your implementation you will need to re-enter that command after each restart or find a way to automate it. 

Highlighted
Contributor

Hello @Vladimir ,

 

What do you mean by "small scale implementations" ? How many users? 

 

I have a customer with ~900 vpn users and I want to understand this solution will handle this.

 

Thanks in advance.

0 Kudos
Highlighted
Champion
Champion

Typically, organizations of that size invest in a better integrated platforms for MFA.

That being said, there is no reason why it would not work for 900 users (please do read the comments of users pointing out changes in the paths I have described that reflect new version of Free RADIUS).

-Vladimir

0 Kudos
Highlighted
Explorer

 

i have implemented MFA with Google Authenticator 1200 domain users & it's working perfectly.  

SNX and endpoint security vpn both working perfectly!

Radius server setting in checkpoint 

 radius-setting.jpg

 

MFA setting

mfa-setting.JPG

 

user-directory.JPG 

Setup is FREERADIUS installed with Google authenticator following below link

https://www.petenetlive.com/KB/Article/0001256 

 

 vpn.JPG

Radius server auth logs

auth.JPG

 

 

0 Kudos
Highlighted

Hi Sandeep,

We also trying to integrate the G-Auth with Checkpoint but not successful after many attempts. Can you please help me with checkpoint configuration related to G-Auth and FreeRadius server configuration. In my case we are using RHEL OS for Free Radius.

Thanks.

Saurabh

0 Kudos