Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bill_Ng
Collaborator
Jump to solution

SmartDashboard MFA authentication

Is it possible to setup MFA access to SmartDashboard?  We would like to validate user with LDAP and then have RSA or DUO auth.  I was thinking of using TACACS to handle the the MFA.  Any suggestions are welcomed.

Thanks,

Bill

0 Kudos
1 Solution

Accepted Solutions
Bill_Ng
Collaborator

I was successful in setting up the MFA for SmartConsole with DUO.  I utilized the DUO authentication proxy.  I had to setup the RADIUS on the SmartConsole to point to the proxy.  The proxy checks our AD credentials first.  If the AD credentials pass, then the proxy will then utilize DUO for the second factor.  I tested DUO with the push of ACCEPT or DENY to my mobile.  Once accepted the console let me right on in.

Below is the link I followed to set it up.

https://duo.com/docs/radius

Hope that helps! 

View solution in original post

0 Kudos
8 Replies
Daniel_Taney
Advisor

The easiest way is probably proxying whatever your choice of MFA authentication is through RADIUS. We do this with RSA here and I know DUO has an option for an on-prem virtual appliance to allow RADIUS.

Once that is set up, you just need to add the RADIUS server in SmartConsole. Then, configure your administrators in SmartConsole to use RADIUS as their Authentication Method and select the RADIUS server you configured. Do an "Install Database" and you should be good to go!

R80 CCSA / CCSE
0 Kudos
Bill_Ng
Collaborator
Thanks Daniel. Will the setup you suggested allow for LDAP Auth as first factor then do RSA/DUO as the second factor? I was under the impression that RADIUS only does single factor. Been a while since I dealt with RADIUS. 🙂
0 Kudos
Daniel_Taney
Advisor

Actually, that's a really good point and I glossed over the in your OP. I guess the answer is... no, it won't. It would allow you to use RSA/DUO as the primary authentication method. (Which was how I had misread your original quesiton). To that end, I'm honestly not 100% sure how that scenario might be accomplished. Sorry for the confusion 😞 

R80 CCSA / CCSE
0 Kudos
PhoneBoy
Admin
Admin
You can only consult one authentication method for administrator users.
Potentially, that one authentication method can support multiple passwords (e.g. a fixed portion plus a changing PIN), which is certainly possible with SecurID, but there is only one password prompt (not multiple), so both would be entered concatenated.
Bill_Ng
Collaborator

Thanks Phoneboy,

I would be fine with the one authentication method and one password prompt.  I figure the authentication method (RADIUS, TACACs) could then provide the 2nd authentication piece.  In this case we ask for LDAP credentials for password prompt.  When the password is authenticated, then a DUO push to mobile device.  Not sure if a RADIUS proxy or TACACs could provide something like that.

0 Kudos
Bill_Ng
Collaborator

I was successful in setting up the MFA for SmartConsole with DUO.  I utilized the DUO authentication proxy.  I had to setup the RADIUS on the SmartConsole to point to the proxy.  The proxy checks our AD credentials first.  If the AD credentials pass, then the proxy will then utilize DUO for the second factor.  I tested DUO with the push of ACCEPT or DENY to my mobile.  Once accepted the console let me right on in.

Below is the link I followed to set it up.

https://duo.com/docs/radius

Hope that helps! 

0 Kudos
Nischit
Contributor

Hi Everyone, 

We use our 2FA (DUO) as our authentication proxy which is working as the radius. This DUO is synced with AD for authentication. I have enabled mobile access and in my case, VPN traffic first comes to a gateway ---> Radius (Duo)----> AD and I am able to connect to the VPN.


What if I want to provide access to the users, based on AD users? I won't be able to do it, right? As I have pointed my authentication server as the radius so, the checkpoint is not synced with the AD and it doesn't have the AD users to allow it in the policy.


0 Kudos
Nischit
Contributor

Hi Everyone,

Got the solution from this video posted in the Community  😊

 https://community.checkpoint.com/t5/How-To-Videos/Check-Point-Mobile-Access-with-Duo-2FA-Authenticat...

Thanks a lot!


0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events