Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DeletedUser
Not applicable

Technology Partner News: Okta MFA for Check Point

Happy to say that Okta has an Okta-certified RADIUS app and posted the integration guide with Check Point on their website. A RADIUS integration is perhaps a small thing, but one thing notable about the integration is this authentication setting: Accept password and security token in the same login request. When MFA is required in the Okta policy and this is enabled, then a user must add a comma to the end of their password, followed by their second factor keyword (such as a One-Time-Password from their Okta Verify app).

This is helpful in some Check Point cases where we don't support RADIUS access-challenge requests following the initial access-request to the RADIUS server. When there is an access-challenge, then our software needs to handle this in an interactive exchange with the user like in this example from our Remote Access VPN client.

Not all of our clients support this.

ClientSupports Challenge-Response
Remote AccessYes
Mobile AccessYes
Captive PortalYes, in R80.20
SmartConsoleNo
Gaia OSNo

 

For those cases where you want MFA and our software doesn't currently support access-challenge, then this is a convenient way to do MFA via adding the second factor in the initial access-request to the RADIUS server.

12 Replies
PhoneBoy
Admin
Admin

Funny thing is I remember working with some folks at Okta on this some time ago.

Glad to see it's a formally supported/documented thing now Smiley Happy

0 Kudos
DeletedUser
Not applicable

Somehow I knew you had a hand in this 😉 Thanks Dameon.

0 Kudos
Christopher_Ric
Participant

Has anyone been able to get this to work? I'm struggling with it.  Any help would be greatly appreciated.

0 Kudos
DeletedUser
Not applicable

What problems are you running into? Anything unique about your configuration? thanks, bob

0 Kudos
Christopher_Ric
Participant

Just get unknown user in the CP logs with any credentials that I input. No

logs are generated on the Okta side unless I use an invalid user that is

not in Okta. Nothing unique as far as configuration.

0 Kudos
DeletedUser
Not applicable

Do you see the access-request in a tcpdump from CHKP to the Okta RADIUS agent? What CHKP client are you trying to login with?

0 Kudos
Christopher_Ric
Participant

Interesting discovery with the tcpdump. If I use a user account that is

local to the check point user database I see the radius request and of

course that fails because its not in Okta. However if I use an Okta

username, I see an ldap request and no radius...Using Version VPN E80.82

endpoint client.

0 Kudos
DeletedUser
Not applicable

That helps, so something in the CHKP configuration that needs to be tweaked. To be sure the CHKP-Okta piece works, you can always set RADIUS as the auth method in the user object where the user also exists in Okta. Not scalable, but some times nice to see something works 😉

To simplify things you may want to ignore RADIUS user group part of the Okta docs and check your External User Profile settings.

.............

6. Navigate to SECURITY POLICIES and select Access Control. This displays Access Tools VPN Communities. Click on VPN Communities. Double click to open the RemoteAccess community and add the gateway object.

7. Click Participant User Groups and accept the default All Users.
8. Click OK to save the settings.
9. The option to create an External User Profile (generic*) is only available using the legacy SmartConsole Client. To launch legacy SmartDashboard go under "Manage & Settings" and select the "Configure in SmartDashboard" for the Mobile Access option

10. In the lower left corner click on the Users object. Right click on External User profile and select New External User profile -> Match all users.

11. Click Authentication and select RADIIUS as the authentication scheme. Select the RADIUS server configured above, for example MyRADIUS.

0 Kudos
Christopher_Ric
Participant

9-11 has got me further...I'm seeing it hit Okta now, but for some reason

still fails. Checkpoint states radius servers not responding and okta

states authentication of user via radius: login failed. Not much detail.

Maybe I'll open a case with them and see what they have to say as well.

0 Kudos
seanmc12
Contributor

Do you remember what set of instructions you used for this. I am using the instructions from OKTA and it is just not working. Not getting a prompt for MFA on my vpn client

0 Kudos
Christopher_Ric
Participant

Finally got it working. For the heck of it I decided to try changing the

radius secret and then it worked...Not sure if they have limitations on

characters or what, but I made it simpler. Thanks for your assistance.

KatiaCruz
Employee
Employee

What about SandBlast Agent as the client? Do we support Okta/MFA for our Endpoint Security solution?

In summary, I'm trying to understand if our FDE blade would support preboot MFA without requesting the user for their credentials again for OS authentication. It doesn’t need to be Okta if we have any other MFA support for this purpose. 

Any ideas will be much appreciated! 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events