This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bill_Ng
Collaborator
‎2019-07-02 06:55 AM
Jump to solution

SmartDashboard MFA authentication

Is it possible to setup MFA access to SmartDashboard?  We would like to validate user with LDAP and then have RSA or DUO auth.  I was thinking of using TACACS to handle the the MFA.  Any suggestions are welcomed.

Thanks,

Bill

0 Kudos
1 Solution

Accepted Solutions
Bill_Ng
Collaborator
‎2019-07-26 05:21 AM
In response to Bill_Ng
Jump to solution

I was successful in setting up the MFA for SmartConsole with DUO.  I utilized the DUO authentication proxy.  I had to setup the RADIUS on the SmartConsole to point to the proxy.  The proxy checks our AD credentials first.  If the AD credentials pass, then the proxy will then utilize DUO for the second factor.  I tested DUO with the push of ACCEPT or DENY to my mobile.  Once accepted the console let me right on in.

Below is the link I followed to set it up.

https://duo.com/docs/radius

Hope that helps! 

View solution in original post

0 Kudos
8 Replies
Daniel_Taney
Advisor
‎2019-07-02 07:29 AM
Jump to solution

The easiest way is probably proxying whatever your choice of MFA authentication is through RADIUS. We do this with RSA here and I know DUO has an option for an on-prem virtual appliance to allow RADIUS.

Once that is set up, you just need to add the RADIUS server in SmartConsole. Then, configure your administrators in SmartConsole to use RADIUS as their Authentication Method and select the RADIUS server you configured. Do an "Install Database" and you should be good to go!

R80 CCSA / CCSE
0 Kudos
Bill_Ng
Collaborator
‎2019-07-02 07:55 AM
In response to Daniel_Taney
Jump to solution

Thanks Daniel. Will the setup you suggested allow for LDAP Auth as first factor then do RSA/DUO as the second factor? I was under the impression that RADIUS only does single factor. Been a while since I dealt with RADIUS. 🙂
0 Kudos
Daniel_Taney
Advisor
‎2019-07-02 09:48 AM
In response to Bill_Ng
Jump to solution

Actually, that's a really good point and I glossed over the in your OP. I guess the answer is... no, it won't. It would allow you to use RSA/DUO as the primary authentication method. (Which was how I had misread your original quesiton). To that end, I'm honestly not 100% sure how that scenario might be accomplished. Sorry for the confusion 😞 

R80 CCSA / CCSE
0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-02 09:54 AM
Jump to solution

You can only consult one authentication method for administrator users.
Potentially, that one authentication method can support multiple passwords (e.g. a fixed portion plus a changing PIN), which is certainly possible with SecurID, but there is only one password prompt (not multiple), so both would be entered concatenated.
Bill_Ng
Collaborator
‎2019-07-05 05:09 AM
In response to PhoneBoy
Jump to solution

Thanks Phoneboy,

I would be fine with the one authentication method and one password prompt.  I figure the authentication method (RADIUS, TACACs) could then provide the 2nd authentication piece.  In this case we ask for LDAP credentials for password prompt.  When the password is authenticated, then a DUO push to mobile device.  Not sure if a RADIUS proxy or TACACs could provide something like that.

0 Kudos
Bill_Ng
Collaborator
‎2019-07-26 05:21 AM
In response to Bill_Ng
Jump to solution

I was successful in setting up the MFA for SmartConsole with DUO.  I utilized the DUO authentication proxy.  I had to setup the RADIUS on the SmartConsole to point to the proxy.  The proxy checks our AD credentials first.  If the AD credentials pass, then the proxy will then utilize DUO for the second factor.  I tested DUO with the push of ACCEPT or DENY to my mobile.  Once accepted the console let me right on in.

Below is the link I followed to set it up.

https://duo.com/docs/radius

Hope that helps! 

0 Kudos
Nischit
Contributor
‎2020-04-06 04:00 AM
In response to Bill_Ng
Jump to solution

Hi Everyone, 

We use our 2FA (DUO) as our authentication proxy which is working as the radius. This DUO is synced with AD for authentication. I have enabled mobile access and in my case, VPN traffic first comes to a gateway ---> Radius (Duo)----> AD and I am able to connect to the VPN.


What if I want to provide access to the users, based on AD users? I won't be able to do it, right? As I have pointed my authentication server as the radius so, the checkpoint is not synced with the AD and it doesn't have the AD users to allow it in the policy.


0 Kudos
Nischit
Contributor
‎2020-04-06 04:13 AM
In response to Nischit
Jump to solution

Hi Everyone,

Got the solution from this video posted in the Community  😊

 https://community.checkpoint.com/t5/How-To-Videos/Check-Point-Mobile-Access-with-Duo-2FA-Authenticat...

Thanks a lot!


0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events