This section describes how to integrate Check Point Gateway Mobile Access portal with RSA Authentication Manager using RADIUS.

Configure RSA Authentication Manager

Perform these steps to configure RSA Authentication Manager using Radius.

Procedure

1. Sign in to Security Console.
2. Go to RADIUS > RADIUS Servers.

Note: Mark the IP address of the selected RADIUS server as it will be later used in the Check Point configuration.

3. Go to RADIUS > RADIUS Clients > Add New.
4. On the Add RADIUS Client page, enter the following details:

1. 1. Client Name: Enter a descriptive name for the Radius client.
   2. IPv4 Address: Enter the IP address of the Radius client.
   3. Make / Model: Select CheckPoint from the drop-down menu.
   4. Shared Secret: Create and enter a secure shared secret. This secret will be used for secure communication between the Radius client and the Radius server.

5. Click Save & Create Associated RSA Agent.
6. On the Add New Authentication Agent page, click Save. 
7. Confirm by clicking Yes, Save Agent.

Notes

• The RSA Authentication Manager RADIUS server is configured to use UDP ports 1655 and 1234.
• The relationship of agent host record to RADIUS client in the Authentication Manager can 1 to 1, 1 to many or 1 to all (global).
• Shared Secret must be an alphanumeric string between 1 and 31 characters in length and is case-sensitive. 

Configure Check Point Mobile Access portal

Procedure

1. Log in to Check Point SmartConsole desktop application with admin credentials.
2. From the left pane, go to Gateways & Servers tab and double click on the required deployed Check Point Gateway.

3. In the General properties of the gateway, ensure that Mobile Access service is enabled (ticked).

Note: If the Mobile Access service is not enabled,  follow the prompt to enable the service. During this process, the Mobile Access portal URL is configured and end users will use it to log in to the portal. 

4. In the Gateway & Servers tab, click New > More > Server > RADIUS.

5. In the RADIUS server window, go to Host and choose the RADIUS server host. 

Note: If  the RADIUS server host is not yet configured in the dropdown list, create a new host with the RADIUS server IP address obtained from RSA. Select the service as NEW-RADIUS which uses port 1812 and enter the shared secret configured in RSA.

6. In SmartConsole, click the Gateways & Servers pane.
   1. Open the Security Gateway object. From the left pane, click Mobile Access > Authentication.
   2. In the Multiple Authentication Client Settings section, click Add to add a new Realm object. Choose New.
   3. On the Login Option pane, in the Authentication Methods section, click Add.
   4. Select RADIUS.
   5. Choose from the Server dropdown list the configured RADIUS server earlier. Click OK.

7. In the User Directories section:
   1. Internal users: In this configuration, the users authenticated against RSA must exist locally on the Check Point SmartConsole for authentication.
   2. LDAP users: In this configuration, the users authenticated against RSA must exist on a remote Active Directory server. Check Point must be configured to connect to it successfully to fetch the users according to the LDAP lookup for authentication.

Note: You must select the LDAP Lookup Type as mail.

1. 3. External user profiles: This relies on users existing outside of Check Point and LDAP, but you must create an external user generic profile to be able to authenticate correctly.

8. Go to Gateways & Servers main tab, go to Global properties > Advanced > Configure > FireWall-1 > Authentication > RADIUS.
9. Configure values as shown in the following figure: 

10. In SmartConsole, click Publish. 
11. Select the applicable policy and choose Access Control.
12. Click Install to apply the policy.

The configuration is complete.
Return to Main page