- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Happy to say that Okta has an Okta-certified RADIUS app and posted the integration guide with Check Point on their website. A RADIUS integration is perhaps a small thing, but one thing notable about the integration is this authentication setting: Accept password and security token in the same login request. When MFA is required in the Okta policy and this is enabled, then a user must add a comma to the end of their password, followed by their second factor keyword (such as a One-Time-Password from their Okta Verify app).
This is helpful in some Check Point cases where we don't support RADIUS access-challenge requests following the initial access-request to the RADIUS server. When there is an access-challenge, then our software needs to handle this in an interactive exchange with the user like in this example from our Remote Access VPN client.
Not all of our clients support this.
Client | Supports Challenge-Response |
---|---|
Remote Access | Yes |
Mobile Access | Yes |
Captive Portal | Yes, in R80.20 |
SmartConsole | No |
Gaia OS | No |
For those cases where you want MFA and our software doesn't currently support access-challenge, then this is a convenient way to do MFA via adding the second factor in the initial access-request to the RADIUS server.
Funny thing is I remember working with some folks at Okta on this some time ago.
Glad to see it's a formally supported/documented thing now
Somehow I knew you had a hand in this 😉 Thanks Dameon.
Has anyone been able to get this to work? I'm struggling with it. Any help would be greatly appreciated.
What problems are you running into? Anything unique about your configuration? thanks, bob
Just get unknown user in the CP logs with any credentials that I input. No
logs are generated on the Okta side unless I use an invalid user that is
not in Okta. Nothing unique as far as configuration.
Do you see the access-request in a tcpdump from CHKP to the Okta RADIUS agent? What CHKP client are you trying to login with?
Interesting discovery with the tcpdump. If I use a user account that is
local to the check point user database I see the radius request and of
course that fails because its not in Okta. However if I use an Okta
username, I see an ldap request and no radius...Using Version VPN E80.82
endpoint client.
That helps, so something in the CHKP configuration that needs to be tweaked. To be sure the CHKP-Okta piece works, you can always set RADIUS as the auth method in the user object where the user also exists in Okta. Not scalable, but some times nice to see something works 😉
To simplify things you may want to ignore RADIUS user group part of the Okta docs and check your External User Profile settings.
.............
6. Navigate to SECURITY POLICIES and select Access Control. This displays Access Tools VPN Communities. Click on VPN Communities. Double click to open the RemoteAccess community and add the gateway object.
7. Click Participant User Groups and accept the default All Users.
8. Click OK to save the settings.
9. The option to create an External User Profile (generic*) is only available using the legacy SmartConsole Client. To launch legacy SmartDashboard go under "Manage & Settings" and select the "Configure in SmartDashboard" for the Mobile Access option
10. In the lower left corner click on the Users object. Right click on External User profile and select New External User profile -> Match all users.
11. Click Authentication and select RADIIUS as the authentication scheme. Select the RADIUS server configured above, for example MyRADIUS.
9-11 has got me further...I'm seeing it hit Okta now, but for some reason
still fails. Checkpoint states radius servers not responding and okta
states authentication of user via radius: login failed. Not much detail.
Maybe I'll open a case with them and see what they have to say as well.
Do you remember what set of instructions you used for this. I am using the instructions from OKTA and it is just not working. Not getting a prompt for MFA on my vpn client
Finally got it working. For the heck of it I decided to try changing the
radius secret and then it worked...Not sure if they have limitations on
characters or what, but I made it simpler. Thanks for your assistance.
What about SandBlast Agent as the client? Do we support Okta/MFA for our Endpoint Security solution?
In summary, I'm trying to understand if our FDE blade would support preboot MFA without requesting the user for their credentials again for OS authentication. It doesn’t need to be Okta if we have any other MFA support for this purpose.
Any ideas will be much appreciated! 🙂
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY