In this article, we are going to configure Checkpoint Mobile Access with Duo two-factor authentication to further enhance the security of remote access VPN users. We will walk through the configuration steps on a newly installed Checkpoint firewall and test Duo 2FA once configured.
Lab Environment
- Checkpoint R80.10
- Active Directory Server 2019
- Duo Authentication Proxy
- Duo Account (Duo Admin Panel)
- End-user test device with Checkpoint Endpoint Security
- Management machine
This demonstration assumes that the reader has knowledge of Checkpoint and Duo.
Duo Configuration
- Log in to the Duo Admin panel and navigate to Applications > Protect an Application and protect the application ‘Checkpoint VPN’.
- Download and install the Duo authentication proxy within your environment.
- Configure the authentication proxy as per the Duo documentation here.
- Validate and save the Duo authentication proxy configuration and restart the service.
Checkpoint Configuration
(Optional) Configure Identity Awareness
With access to the Checkpoint firewall, configure Identity Awareness to integrate the Checkpoint device with Active Directory. This will provide user, group and machine visibility within Checkpoint once configured.
Note: For locally managed SMB appliances, you may need to remove AD integration for 2FA to work with RAIDUS. More details here. SMB appliance configuration is NOT covered in this demonstration.
- General Properties > Network Security > Identity Awareness
- Select ‘AD Query’.
- Create a new domain and enter the details to reflect your AD server configuration.
Note: Ensure that administrator credentials are used.
- Once complete, click ‘Connect’. If the configuration is successful, the following message shown in the screenshot below will be displayed.
- Click ‘Next’ and then ‘Finish’.
- Navigate to Identity Awareness and check that ‘Remote Access’ is selected and press ‘Ok’.
- Navigate to Mobile Access
- Deselect the options that are not required for your environment. In this demo, we will focus on Desktops and Laptops only. Once complete, click ‘Next’.
- Test connectivity to your AD domain and click ‘Next’.
- The mobile blade is now active! Click ‘Finish’.
- Navigate to Mobile Access > Authentication and click ‘Settings…’.
- Change the Authentication Method to ‘RADIUS’ and add the authentication proxy IP address as a new object for the RADIUS server. Complete the remaining configuration requirements, ensuring that the shared secret matches the authentication proxy configuration and the RADIUS version is set to 2. Ensure that you have enabled ‘Ask user for password’.
- On the relevant gateway, enable the IPsec VPN blade.
Note: We will enable this to allow for clients connecting using IPsec as appose to SSL.
- Navigate to ‘Authentication’ and configure the device to use Duo as a RADIUS server. Ensure that you have enabled ‘Ask user for password’.
- Publish your changes.
Testing
- Using your VPN client connect to the Checkpoint VPN with your Username and Password. If configured correctly you should be prompted for 2FA. Accept the 2FA request and you should be connected.
- Log into the Duo Admin panel and navigate to Reports > Authentication Log to view your most recent successful login.
Duo 2FA authentication for Checkpoint remote-access VPN’s is now configured successfully. Depending on your environment, you may want to configure additional elements such as security policies etc.
