This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PJ_WONG
Contributor
‎2025-07-07 03:13 AM

Adding certificate as MFA authentication for Remote Access VPN

Hi CheckMates,

I need some help with setting up Remote Access VPN using certificate-based MFA together with AD username/password.

Currently, my environment has Check Point integrated with Active Directory, and Remote Access VPN is working fine with just username/password authentication from AD.

Now, I want to add certificate authentication as a second factor. Here’s what I’ve tried so far:

  1. Used the enrollment key for the client to enroll for a certificate.

  2. Used cpca_client create_cert to generate a .p12 certificate and imported it manually.

Both methods work only for SmartConsole internal users, but not for AD users.

So my questions are:

  • Do I need to set up AD Certificate Services (CA) to make this work with AD users? If yes, how would that integrate?

  • Is there any additional configuration needed on the Check Point side to enable certificate + AD username/password for VPN users?

Thank you in advance for any guidance!

 

0 Kudos
5 Replies
_Val_
Admin
Admin
‎2025-07-07 03:55 AM

If you mean adding machine certificate, it is well documented in the admin guide, for example: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

 

If something else, please elaborate

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-07 12:09 PM

We would treat AD Certificates the same way we handle any other third party PKI.
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... 

And yes, you need to configure multiple authentication factors (I believe certificates must always be first).
This is also in the same documentation.

0 Kudos
PJ_WONG
Contributor
‎2025-07-08 01:21 AM

Thanks for the guide, so for the AD user to connect with certificate + username/password, I will need to generate a CSR to send to AD to sign first.

The guide does not mention how the certificate should be distribute, so am I correct to assume that the certificate will be issued and distributed by the AD Certificate Services? Then the user will use this certificate along with their AD credentials to connect to the VPN?

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-08 07:34 AM
In response to PJ_WONG

That's the whole point of using a third party PKI: we're not involved in certificate distribution.
However, the infrastructure (including end users) will need to be able to validate their certificates.
This means for Remote Access purposes, it may be necessary to permit access to the CRL/OSCP of the relevant CA infrastructure.

0 Kudos
HienTM
Participant
3 weeks ago

Dear PJ_Wong and CheckMates

Could you please elaborate on your solution for 2FA for internal users (certificate + username/password)? We also want to setup this feature in our environment but quite not sure about setting needed.

- Our environment is quite small with about 60 internal users, we are running 81.20. Currently for Remote Access VPN we use single factor (legacy) with username/password.

- Our Gateway Cluster property for VPN Client/Authentication setting is as below, and all users need only username and password to login for both older and newer version of Endpoint Security VPN clients.

current settings.jpg

Our intention is generate p12 certificate and distribute certificates to users. But since we wanted to test 2FA (certificate and username/password) first for some test users and at the same time let the rest of users to continue with only username and password.

My question are:

1. What we need to change in this VPN Client/Authentication settings to facilitate 2FA? We understand that we may need to add some method(s) under "Multiple Authentication Clients Settings" (3 options available: Cert_Username_Password, Personal_Certificate, Username_Password).

2. If we add options above then would it affect users which still need to use only username and password to login? We dont have test environment so we need to make sure the system still works for normal users during test.

3. What settings do we need to do at user property setting for each user in 2FA test group (like setting Encryption)?

We already went through "R81.20 Remote Access VPN Administration Guide" but the info is quite confusing for us (we are not Checkpoint specialists and our IT team is small). Since you were successfully configured similar 2FA system it would be great if you can show us some direction.

Thank you CheckMates,

Hien

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events