cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Technology Partner News: Okta MFA for Check Point

Happy to say that Okta has an Okta-certified RADIUS app and posted the integration guide with Check Point on their website. A RADIUS integration is perhaps a small thing, but one thing notable about the integration is this authentication setting: Accept password and security token in the same login request. When MFA is required in the Okta policy and this is enabled, then a user must add a comma to the end of their password, followed by their second factor keyword (such as a One-Time-Password from their Okta Verify app).

This is helpful in some Check Point cases where we don't support RADIUS access-challenge requests following the initial access-request to the RADIUS server. When there is an access-challenge, then our software needs to handle this in an interactive exchange with the user like in this example from our Remote Access VPN client.

Not all of our clients support this.

ClientSupports Challenge-Response
Remote AccessYes
Mobile AccessYes
Captive PortalYes, in R80.20
SmartConsoleNo
Gaia OSNo

 

For those cases where you want MFA and our software doesn't currently support access-challenge, then this is a convenient way to do MFA via adding the second factor in the initial access-request to the RADIUS server.

Tags (3)
10 Replies
Admin
Admin

Re: Technology Partner News: Okta MFA for Check Point

Funny thing is I remember working with some folks at Okta on this some time ago.

Glad to see it's a formally supported/documented thing now Smiley Happy

0 Kudos

Re: Technology Partner News: Okta MFA for Check Point

Somehow I knew you had a hand in this 😉 Thanks Dameon.

0 Kudos

Re: Technology Partner News: Okta MFA for Check Point

Has anyone been able to get this to work? I'm struggling with it.  Any help would be greatly appreciated.

0 Kudos

Re: Technology Partner News: Okta MFA for Check Point

What problems are you running into? Anything unique about your configuration? thanks, bob

0 Kudos

Re: Technology Partner News: Okta MFA for Check Point

Just get unknown user in the CP logs with any credentials that I input. No

logs are generated on the Okta side unless I use an invalid user that is

not in Okta. Nothing unique as far as configuration.

0 Kudos

Re: Technology Partner News: Okta MFA for Check Point

Do you see the access-request in a tcpdump from CHKP to the Okta RADIUS agent? What CHKP client are you trying to login with?

0 Kudos

Re: Technology Partner News: Okta MFA for Check Point

Interesting discovery with the tcpdump. If I use a user account that is

local to the check point user database I see the radius request and of

course that fails because its not in Okta. However if I use an Okta

username, I see an ldap request and no radius...Using Version VPN E80.82

endpoint client.

0 Kudos

Re: Technology Partner News: Okta MFA for Check Point

That helps, so something in the CHKP configuration that needs to be tweaked. To be sure the CHKP-Okta piece works, you can always set RADIUS as the auth method in the user object where the user also exists in Okta. Not scalable, but some times nice to see something works 😉

To simplify things you may want to ignore RADIUS user group part of the Okta docs and check your External User Profile settings.

.............

6. Navigate to SECURITY POLICIES and select Access Control. This displays Access Tools VPN Communities. Click on VPN Communities. Double click to open the RemoteAccess community and add the gateway object.

7. Click Participant User Groups and accept the default All Users.
8. Click OK to save the settings.
9. The option to create an External User Profile (generic*) is only available using the legacy SmartConsole Client. To launch legacy SmartDashboard go under "Manage & Settings" and select the "Configure in SmartDashboard" for the Mobile Access option

10. In the lower left corner click on the Users object. Right click on External User profile and select New External User profile -> Match all users.

11. Click Authentication and select RADIIUS as the authentication scheme. Select the RADIUS server configured above, for example MyRADIUS.

0 Kudos

Re: Technology Partner News: Okta MFA for Check Point

9-11 has got me further...I'm seeing it hit Okta now, but for some reason

still fails. Checkpoint states radius servers not responding and okta

states authentication of user via radius: login failed. Not much detail.

Maybe I'll open a case with them and see what they have to say as well.

0 Kudos

Re: Technology Partner News: Okta MFA for Check Point

Finally got it working. For the heck of it I decided to try changing the

radius secret and then it worked...Not sure if they have limitations on

characters or what, but I made it simpler. Thanks for your assistance.