Checkpoint Mobile VPN two factor Authentication

Posted on 2016-08-03
Medium Priority
Last Modified: 2017-01-06
Hi i would like to know the simplest way to get two factor Authentication up and running within Checkpoint Mobile for our VPN logins
Question by:VH
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
LVL 64

Accepted Solution

btan earned 2000 total points (awarded by participants)
ID: 41741745
It will be setting up a proxy for authentication to AD or Radius as an example. Duo security listed the step by step and based on the 2fa fastest will be via Duo Push
Duo’s mobile app to send push notifications to your phone as your second factor. Here’s how it works:

Enter your username and password into your login page.

Choose ‘Duo Push’ as your second factor on the next screen prompt.

Then, tap ‘Approve’ on the push notification sent to your phone.

Duo Push is an out-of-band authentication method that prevents remote attackers from stealing your password and your second factor.
see the "Test Your Setup"
LVL 64

Assisted Solution

btan earned 2000 total points (awarded by participants)
ID: 41741750
There is also Checkpoibt own 2FA via its mobile remote VPN access software blade (which you may have) of DynamicID Direct SMS Authentication. Can check with their sales support
The Mobile Access Software Blade can be configured to send a One-Time Password (OTP) to an end-user communication device (such as a mobile phone) via an SMS message. SMS two-factor authentication provides an extra level of security while eliminating the difficulties associated with managing hardware tokens

Author Comment

ID: 41742307
Hi Btan,

i think DynamicID Direct SMS would be the best path for us, can twilio be used for DynamicID ?
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

LVL 64

Assisted Solution

btan earned 2000 total points (awarded by participants)
ID: 41742522
DynamicID will be good and to have SMS authentication, you will need to configure the SMS provider details - see example, http://91sec.blogspot.sg/2014/10/enable-checkpoint-ssl-vpn-remote-access_17.html
For configuring the SMTP provider for sending via Email as below
For Twilio, you will need to have the valid account and have the GET URL (with credential) for this SMS provider, better to check with provider.

Separately just to share that recently NIST updated that SMS as 2FA is going to be deprecated
If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.

I suggest for more secure systems to use hardware tokens or app authenticators, but don’t automatically rule out text messages. For a start, you do not need to rule out SMS as a method just because of it is reported as above though for systems that need the maximum protection, maybe it’s not appropriate. Make an informed decision for systems in term of ease of use, cost, and eventually it is user acceptance that matters for a viable solution.
LVL 64

Expert Comment

ID: 41766621
DynamicID is concurred as the 2FA approach

Author Comment

ID: 41950471
Hi All,

just got around to doing this feature..  i have enabled Challenge users to proved One time password
but when i try to log in, it is showing the following error.
LVL 64

Expert Comment

ID: 41950496
Users who successfully complete the first-phase authentication are challenged to enter an additional credential: a DynamicID One Time Password (OTP). The OTP is sent to their mobile communications device (such as a mobile phone) through SMS or directly to their email account. Hence I suspect the system cannot find this information if it will to send the OTP. See this
Configuring the Phone Directory
The default phone number and email search method is that the gateway searches for phone numbers or email addresses in user records on the LDAP account unit, and then in the phone directory on the local gateway. If the phone number configured is actually an email address, an email will be sent instead of an SMS message. The phone number and email search method can be changed in the Phone Number or Email Retrieval section of the Two-Factor Authentication with DynamicID - Advanced window.

Configuring Phone Numbers or Email Addresses in LDAP
If users authenticate via LDAP, configure the list of phone numbers on LDAP by defining a phone number or email address for each user. By default, Mobile Access uses the Mobile field in the Telephones tab. If the phone number configured is actually an email address, an email will be sent instead of an SMS message.
Configuring Phone Numbers or Email Addresses on Each Security Gateway
Configure the list of phone numbers or email addresses on each Mobile Access gateway. For a Mobile Access cluster, configure the directory on each cluster member.

To configure a list of phone numbers on a gateway:
Log in to the Mobile Access gateway using a secure console connection.
Change to Expert mode: Type expert and then the expert mode password.
Backup $CVPNDIR/conf/SmsPhones.lst
Edit $CVPNDIR/conf/SmsPhones.lst, and add to it a list of user names and phone numbers, and/or email addresses.

You may also want to take note of this
There is no feature available as yet with checkpoint to allow LDAP and RSA authentication working together.

Consider creating another question if you have further doubts

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question