Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PJ_WONG
Contributor

Adding certificate as MFA authentication for Remote Access VPN

Hi CheckMates,

I need some help with setting up Remote Access VPN using certificate-based MFA together with AD username/password.

Currently, my environment has Check Point integrated with Active Directory, and Remote Access VPN is working fine with just username/password authentication from AD.

Now, I want to add certificate authentication as a second factor. Here’s what I’ve tried so far:

  1. Used the enrollment key for the client to enroll for a certificate.

  2. Used cpca_client create_cert to generate a .p12 certificate and imported it manually.

Both methods work only for SmartConsole internal users, but not for AD users.

So my questions are:

  • Do I need to set up AD Certificate Services (CA) to make this work with AD users? If yes, how would that integrate?

  • Is there any additional configuration needed on the Check Point side to enable certificate + AD username/password for VPN users?

Thank you in advance for any guidance!

 

0 Kudos
4 Replies
_Val_
Admin
Admin

If you mean adding machine certificate, it is well documented in the admin guide, for example: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

 

If something else, please elaborate

0 Kudos
PhoneBoy
Admin
Admin

We would treat AD Certificates the same way we handle any other third party PKI.
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... 

And yes, you need to configure multiple authentication factors (I believe certificates must always be first).
This is also in the same documentation.

0 Kudos
PJ_WONG
Contributor

Thanks for the guide, so for the AD user to connect with certificate + username/password, I will need to generate a CSR to send to AD to sign first.

The guide does not mention how the certificate should be distribute, so am I correct to assume that the certificate will be issued and distributed by the AD Certificate Services? Then the user will use this certificate along with their AD credentials to connect to the VPN?

0 Kudos
PhoneBoy
Admin
Admin

That's the whole point of using a third party PKI: we're not involved in certificate distribution.
However, the infrastructure (including end users) will need to be able to validate their certificates.
This means for Remote Access purposes, it may be necessary to permit access to the CRL/OSCP of the relevant CA infrastructure.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events