This article describes how to configure a Check Point Software SSL VPN device to authenticate users against an ESA Server. Before proceeding, verify that you've installed the RADIUS Server component of ESET Secure Authentication and can access the RADIUS service that allows external systems to authenticate users.
Before your Check Point Software SSL VPN device can use the ESA Server to authenticate users via RADIUS, it must be set up as a RADIUS client on the ESA Server. Next, your server running the ESA RADIUS service must be setup as a RADIUS Server on the Check Point Software SSL VPN device. Once these configurations have been specified, you can start logging into your Check Point Software SSL VPN device using ESA OTPs.
Step I - RADIUS client configuration
To allow the Check Point Software SSL VPN device to communicate with your ESA Server, you must configure the Check Point Software SSL VPN device as a RADIUS client on your ESA Server:
- Launch the ESA Management Console (found under Administrative Tools).
- Navigate to RADIUS Servers and locate the hostname of the server running the ESA RADIUS service.
- Right-click the hostname and select Add Client from the context menu.
- Configure a RADIUS client (see Figure 1-1).
- Click OK, you will be prompted to restart the RADIUS Service, do so from the Services control panel.
ESA has now been configured to communicate with the Check Point Software SSL VPN device. You must now configure the Check Point Software SSL VPN device to communicate with the ESA Server.
Step II - Configure your Check Point Software SSL VPN device
Follow the steps below:
- Open Check Point SmartDashboard.
- Expand the Servers and OPSEC Applications page.
- Right-click Servers and select New → RADIUS.
- Name your new server (for example, ESA).
- Click New next to the Host field.
- Select General Properties on the left.
- Add a name for the server (for example, ESAradserv).
- Enter the IPv4 address of your ESA RADIUS server.
- Click OK.
- Select New Radius (for port 1812) from the Service drop-down menu.
- Enter your shared secret, as shown in Figure 1-1.
- Select PAP as the protocol.
- Click OK.
Step III - Create a test user
- Navigate to and expand Users and Administrators.
- Right click Users and select New User → Default.
- Type the AD user name of your test user (for example, Alice) into the general tab under User Properties.
- In the Authentication tab:
- Set the authentication scheme to RADIUS.
- Select the server you created in section II.
- Click OK.
Step IV - Test the connection
To test the newly configured connection:
- Launch your Check Point Software SecureClient.
- Enter the credentials of your test user. Ensure that you are using an account with Mobile Application 2FA using ESA enabled. When prompted for a password, append the OTP generated by the Mobile Application to your AD password. For example, if the user has an AD password of Esa123 and an OTP of 999111, you should type Esa123999111.
If you are unable to authenticate via the ESA RADIUS server, make sure that you have performed the following steps:
- Run a smoke test against your RADIUS server, as per the “Verifying ESA RADIUS Functionality” document.
- If no faults were fixed and you are still unable to connect, revert to an existing sign-in configuration that does not use 2FA and verify that you are able to connect.
- If you are able to connect using the old settings, restore the new settings and verify that there is no firewall blocking UDP 1812 between you VPN device and your RADIUS server.
- If you are still unable to connect, contact ESET technical support.