Set up Nexus OTP as 2FA for Check Point administration
This article describes how to enable Nexus OTP in Smart ID Digital Access component as two-factor authentication method for Check Point administration, to replace static passwords.
Nexus OTP can be either Nexus TruID Synchronized or Smart ID Mobile App OTP, or any other OATH-based mobile OTP application, such as Google Authenticator or Microsoft Authenticator.
With the setup described in this article, Digital Access functions a RADIUS server and Check Point Security Gateway as a RADIUS client. Nexus TruID is used as an example below and is available for iOS, Android, and Windows.
Make settings in Digital Access
In step 3, enter the IP Address of the RADIUS Client (Check Point firewall) and the Shared Secret Key.
In Digital Access Admin, go to Manage System.
Click RADIUS Configuration > Add RADIUS Client...
Enter General Settings and Attributes. Click the ?-sign for help.
Click Save.
Nexus TruID Synchronized is used as an example. Other Nexus OTP authentication methods are enabled in a similar way.
- In step 3, select Nexus Synchronized as method.
- When the default RADIUS replies are shown, click Next. You can also add your custom RADIUS replies or modify the default replies if required.
To add a new authentication method:
- In Digital Access Admin, go to Manage System.
- Click Authentication Methods.
Click Add authentication method..., select the desired method and click Next.
- Enter Display Name, a unique name used in the system to identify the authentication method.
- Select if the method shall be enabled and if it shall be visible in authentication menu.
- Register Authentication Methods Server when applicable.
- Make other configurations as needed for the selected authentication method. For more information , click the ?-sign. Click Next.
- If needed, make settings in RADIUS Replies and Extended Properties.
- Click Next and Finish.
- Click Publish.
Make settings in Check Point security gateway
- Open the Check Point SmartDashboard R77.
- In the Login window, complete the following fields, and then click Login.
Username Enter your user name.
Password Enter your password.
Server name or IP Address Select the name or IP address of the server where Check Point Security Gateway is hosted.
Read only Uncheck this option.
In the Check Point SmartDashboard main window, in the left pane, under Network Objects, click Nodes > Node > Host.
In the Host Node window, in the right pane, complete the following fields, and then click OK.
Name Enter a name for the host node.
IPv4 Address Enter the IP address of the RADIUS server.
- In the Check Point SmartDashboard main window, in the left pane, under Servers and OPSEC, expand Servers, right-click RADIUS, and then click New RADIUS.
- In the RADIUS Server Properties window, complete the following fields, and then click OK.
Name Enter a name for the RADIUS server.
Comment Enter any applicable comments.
Color Select a color of your choice.
Host Select the RADIUS server host node configured previously.
Service Select NEW_RADIUS, which is associated with the port number 1812. (Cross check the configured radius port at HAG end).
Shared Secret Enter the shared secret value. (The shared secret must be same as entered in HAG.)
Version Select RADIUS ver. 2.0 Compatible.
Protocol Select PAP.
Create a user with the defined authentication scheme to be able to log in SmartDashboard.
- On the Check Point SmartDashboard main window, in the left pane, under Users and Administrators, right-click Users, and then click New User > Default.
- In the User Properties window, in the right pane, in the User Name field, enter a name of the user.
In the left pane, click Authentication.
In the right pane, complete the following details, and then click OK.
Authentication Scheme Select RADIUS.
Select a RADIUS Server or Group of Servers Select the RADIUS server object you created previously.
