This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mjovovic
Contributor
‎2021-06-15 05:30 AM
Jump to solution

Multi Factor authentication for RAVPN users with Google Authenticator on SMB devices

Hi,

I have setup 1590 appliance to work with RADIUS server for 2ND factor for RAVPN users.

Radius server is Ubuntu 20.04 with FreeRadius service on it.

Radius server part works as a charm, it communicates with Google Authenticator and makes authentication decisions according to user/pass/OTP policy setup.

3.png

Problem is that on our CP 1590 appliance side. After successful Radius authentication (RADIUS packets are exchanged between CP 1590 device and Radius server), RAVPN client gets disconnected every time (RAVPN connection is never completed).

SMB appliances use RADIUS v1, and because of that password length together with OTP from goolge authenticator should not be over 16 characters long (it is limitation on SMB appliances they can not use Radius v2).

 

In security logs we get:

Action: Failed Log In

Reason: Authenticated by RADIUS

Second authentication method: DynamicID 

2.png

1.png

Surely, this is where the problem is.

 

Our endpoint security VPN client shows: User XXX authenticated by Radius authentication

4.png

 

Check Point 1590 setup:

1. local users with ravpn permission created (according to Radius server - to match username and password with Radius server local users database)

2. Put users in user group with RAVPN permissions

3. Checked option  - Require users to confirm their identity using two-factor authentication 

Did not checked SMS option as we do not use SMS DynamicID (left it default):

5.png6.png

4. Changed auth method on RAVPN client to Radius server

5.  We created authentication server (Radius):

7.png

 

Kindly ask You for a hint how to make this work?

All suggestions are welcome.

Thanks!

 

Milos

 

1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2021-06-17 12:45 PM
In response to mjovovic
Jump to solution

It is listed in Limitations: sk159772: Check Point R80.20 for 1500, 1600, and 1800 Appliances Features and Known Limitations

Blade / Feature Locally
managed		 Centrally
managed		 Comments
VPN and Remote Access
Remote access client multi factor authentication Yes No SMS as second factor authentication.  

#

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
15 Replies
mjovovic
Contributor
‎2021-06-15 08:06 AM
Jump to solution

As addition to my first message,  if I check on 1590 GW the option - Require users to confirm their identity using two-factor authentication, 

on VPN client I got these two auth options:

10.png

With both auth. options from picture, RAVPN user gets successfully authenticated, but VPN tunnel establishment is not being started by 1590 appliance at all (no tunnel test traffic (port 18234) , it's like that VPND is not being triggered by these auth options),  and at the end client gets disconnected with messages like this:

Local/AD user (Default):

11.png

Radius user:

4.png

On the contrary, if I do not check on 1590 GW the option - Require users to confirm their identity using two-factor authentication, on VPN client there are many auth options (username/pass, SecureID, certs,...). But no radius at all.

 

 

0 Kudos
mjovovic
Contributor
‎2021-06-15 08:34 AM
In response to mjovovic
Jump to solution

VPN client side logs during testing with test radius user:

client side logs.png

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-06-15 10:34 PM
In response to mjovovic
Jump to solution

2FA currently only works with SMS, see To configure Two-Factor Authentication, Quantum Spark 1500, 1600 and 1800 Appliance Series R80.20.25 Locally Managed Administration Guide p.212 - so there is currently no way to achieve what you want !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
mjovovic
Contributor
‎2021-06-16 12:04 AM
In response to G_W_Albrecht
Jump to solution

Hi Albrecht,

 

I have just solved an issue by:

1. Deleting all users on CP 1590 appliance (which were already configured on Radius Server),

2. Creating Radius type group (checked all users, groups) and checked RAVPN permissions for Radius group,

3. Unchecking the option on CP - Require users to confirm their identity using two-factor authentication, 

4. In VPN client I choose auth. scheme (username/password).

And it works as a charm! Users are authenticated by external Radius server (FreeRadius on Ubuntu), which is further 

responsible for handling Google Authenticator OTP. Basically in VPN client, in password field we put together a password which is defined on Radius server along with OTP token from google authenticator app on Mobile phone in following manner:<passwordOTP>

 

 

G_W_Albrecht
Legend Legend
Legend
‎2021-06-16 01:08 AM
In response to mjovovic
Jump to solution

Yes - 2FA is outsourced here to RADIUS. See sk137732: 2FA (Factor Authentication) support for remote access VPN in locally managed SMB appliance... for details about this R77.20.xx restriction.

With R80.20.xx., 2FA is possible for locally managed SMBs using SMS.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
mjovovic
Contributor
‎2021-06-16 05:50 AM
In response to G_W_Albrecht
Jump to solution

It would be great if we could be in situation to configure MFA directly on the Security Gateway (locally managed SMB appliance).

Thanks for comments.

G_W_Albrecht
Legend Legend
Legend
‎2021-06-16 08:05 AM
In response to mjovovic
Jump to solution

Yes, certainly !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-06-17 12:45 PM
In response to mjovovic
Jump to solution

It is listed in Limitations: sk159772: Check Point R80.20 for 1500, 1600, and 1800 Appliances Features and Known Limitations

Blade / Feature Locally
managed		 Centrally
managed		 Comments
VPN and Remote Access
Remote access client multi factor authentication Yes No SMS as second factor authentication.  

#

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
mjovovic
Contributor
‎2021-06-18 04:32 AM
In response to G_W_Albrecht
Jump to solution

Thanks Albrecht.

 

At the end, I really look forward that CP will as soon as support radius v2 on SMB appliances (to avoid authentication with up to 16 character passwords (Radius v1 - RFC 2138)).

 

 

 

0 Kudos
yangjiajun
Explorer
‎2022-05-30 03:51 AM
In response to G_W_Albrecht
Jump to solution

Why is this option that 'require users to confirm their identity using two-factor authentication' not available in my R80.20.05 experimental environment.

MikeyT
Employee
Employee
‎2022-06-06 04:47 PM
In response to yangjiajun
Jump to solution

The option 'require users to confirm their identity using two-factor authentication' is available on the R80.20.10 ver. and above.

security09
Participant
‎2022-11-14 02:56 AM
In response to mjovovic
Jump to solution

Hi @mjovovic  - do you have the document for setting up this freeRadius and google authenticator. i did configure it but when i am trying to do a local test- it says packet rejected. not sure where have i done mistake. i am not very good in linux. it would be great if you can share the doc.

security09
Participant
‎2022-11-14 06:29 AM
In response to G_W_Albrecht
Jump to solution

hi @G_W_Albrecht  This SK doesnt have freeradius method explained. the one which is mentioned is SMS based authentication. i need FreeRadius with GoogleAuth.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top