Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This article describes how to enable Nexus OTP in Nexus Smart ID Digital Access component (Hybrid Access Gateway) as two-factor authentication method for Check Point administration, to replace static passwords.

Nexus OTP can be either Nexus TruID Synchronized or Smart ID Mobile App (Personal Mobile) OTP, or any other OATH-based mobile OTP application, such as Google Authenticator or Microsoft Authenticator.

With the setup described in this article, Digital Access functions a RADIUS server and Check Point Security Gateway as a RADIUS client. Nexus TruID is used as an example below and is available for iOS, Android, and Windows. 


Expandall

Prerequisites

Expand
titlePrerequisites

Make settings in Digital Access

Expand
titleLog in to Digital Access Admin
  1. Log in to Digital Access Admin with an administrator account.


Expand
titleAdd Check Point firewall as a RADIUS client


Note

In step 3, enter the IP Address of the RADIUS Client (Check Point firewall) and the Shared Secret Key.

Excerpt Include
Set up RADIUS client in Digital Access
Set up RADIUS client in Digital Access
nopaneltrue


Expand
titleEnable authentication method

Nexus TruID Synchronized is used as an example. Other Nexus OTP authentication methods are enabled in a similar way.

Note
  • In step 3, select Nexus Synchronized as method.
  • When the default RADIUS replies are shown, click Next. You can also add your custom RADIUS replies or modify the default replies if required.

Excerpt Include
Set up authentication method in Digital Access
Set up authentication method in Digital Access
nopaneltrue

Make settings in Check Point security gateway

Expand
titleEnable Digital Access as RADIUS Server
  1. Open the Check Point SmartDashboard R77.
  2. In the Login window, complete the following fields, and then click Login.
    1. Username Enter your user name.

    2. Password Enter your password.

    3. Server name or IP Address Select the name or IP address of the server where Check Point Security Gateway is hosted.

    4. Read only Uncheck this option.

  3. In the Check Point SmartDashboard main window, in the left pane, under Network Objects, click Nodes > Node > Host.

  4. In the Host Node window, in the right pane, complete the following fields, and then click OK.

    1. Name Enter a name for the host node.

    2. IPv4 Address Enter the IP address of the RADIUS server.


Expand
titleCreate a RADIUS server object
  1. In the Check Point SmartDashboard main window, in the left pane, under Servers and OPSEC, expand Servers, right-click RADIUS, and then click New RADIUS.
  2. In the RADIUS Server Properties window, complete the following fields, and then click OK.
    1. Name Enter a name for the RADIUS server.

    2. Comment Enter any applicable comments.

    3. Color Select a color of your choice.

    4. Host Select the RADIUS server host node configured previously.

    5. Service Select NEW_RADIUS, which is associated with the port number 1812. (Cross check the configured radius port at HAG end).

    6. Shared Secret Enter the shared secret value. (The shared secret must be same as entered in HAG.)

    7. Version Select RADIUS ver. 2.0 Compatible.

    8. Protocol Select PAP.


Expand
titleCreate a user

Create a user with the defined authentication scheme to be able to log in SmartDashboard.

  1. On the Check Point SmartDashboard main window, in the left pane, under Users and Administrators, right-click Users, and then click New User > Default.
  2. In the User Properties window, in the right pane, in the User Name field, enter a name of the user.
  3. In the left pane, click Authentication.

  4. In the right pane, complete the following details, and then click OK.

    1. Authentication Scheme Select RADIUS.

    2. Select a RADIUS Server or Group of Servers Select the RADIUS server object you created previously.