- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Currently we have the Checkpoint Mobile for windows deployed, utilizing username+password with LDAP for login.
I'm wanting to implement 2FA, but with a staggered approach (start out with a small set of users).
I know that multiple authentication options are possible as per sk111583, however i'm a bit confused on the implementation.
Based on AD memberships I want one set of users to be on LDAP, and another set to be utilizing RADIUS (which will accept ldap credential, then go off to our 2FA server and do a push notification/PIN to cell, likely using DUO). I'm not sure if I can force the users into certain authentication types based off of LDAP roles, or if the options are presented on the client.
Any information on implementing this will be helpful
I see your point on how the gateway would still see this as single auth.
I've created the additonal LDAP group already, however i'm not able to get those users to authenticate against radius instead of AD. As they are signing in wouldn't the checkpoint need to do its first authentication to determine what memberships the account has?
I'm finally getting the resources to set up a virtual lab, so I can trial a few setups without breaking prod.
If i enable multiple login options, as per sk111583, can I enable RADIUS and LDAP for the endpoint client so that the users can choose which authentication method is used?
If you enable multiple login options, it means two authentication methods can be used in serial (one after the other), not in parallel (either X or Y).
However, I think you can do what you need with an External User Profile, as described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
These objects cannot be created in R80.x SmartConsole, but can be created via the legacy SmartDashboard as described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
This should allow RADIUS users to specify they are using RADIUS to authenticate.
Thanks for clearing the order up, I had thought it would be in parallel.
I was following the SKs you linked, however i'm not able to see the group tab, where I could add the user to a radius group.
My understanding from the articles is that once I have this configured, I can log in with the name 'example@domain', and it will go against its defined authentication. Where would I put this new object, in the source of a policy rule?
Thank you
It doesn't look like I can use the external user profile in the unified access policy, I can't find it as a valid source.
@Royi_Priov are we missing something here?
Hi David,
Rolling back a bit.
We do not have an option to configure an authentication realms for users based on their LDAP membership.
What @PhoneBoy meant regarding the serial part of the authentication is for the authentication factors within the authentication realms.
However, the realms themselves are independent, the user can choose which realm he would like to use in order to authenticate.
Does that satisfy your requirement?
Thanks,
Netanel Cohen
Software Developer, Checkpoint
Hi Netanel,
Sorry for the late reply, I was away for a long Canada Day weekend.
I think I understand. It looks like I can choose which authentication option here:
would I just add additional login options here? How would I define which is the default?
That ended up working for me, however there was one small problem.
I found that when I added two authentication options, all my clients on their next connections received a prompt to select an authentication option. If you close the prompt, you will not connect. If you select the 'choose authentication method' link in the prompt, Default is already selected, and they can close the window and connect. I don't get why they have to open and close the authentication methods for the default to be used. It's a minor problem, but when it impacts hundreds of users you get complaints.
Hi David,
I had same problem. How we can choose which is default authentication method. Is there any option in smart console or client?
Hello Netanel,
Could you help me about this.
For RA vpn can I use in multiple authentication 2 mandatory option LDAP user name and pass and at the same time certificate that will be generated on ldap local radius server and what are steps to implement this?
Hi,
If I understood your request right your are willing to have an authentication realm which has 1 factor as user\pass and the other as certificate and you would like that only LDAP user will be able to connect using this realm.
Yes this is possible, we have a limitation which Certificate needs always to be the 1st factor.
You need to configure the CA which issued the certificate as a trusted CA in your environment(as always when working with external CA) and limit the user directory to the relevant LDAP object:
Thank you Cohen
That is what I asked.
Also because we have R80.40 I found new option for machine authentication so I think its better solution.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
3 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY