Configure the Check Point SmartConsole

During this task we will configure Check Point to use the Okta RADIUS app.

Before you begin

  • Ensure that you have the common UDP port and secret key values available.

Define a RADIUS server object

  1. Launch the Check Point SmartConsole (Windows OS only).
  2. From the upper left corner menu, navigate to New object > New Host:

  3. Enter the following:
    • Name: A unique name for the host where the  RADIUS server is installed. For example, MyHost.
    • IPv4 address: A unique IP address for the host where the  RADIUS server is installed. For example, 192.168.1.101.
    • Click OK.
  4. From the upper left corner menu, navigate to New object > More object types > Server > More New RADIUS, then enter the following:
    • Name: A unique name for the RADIUS server. For example, MyRADIUS.
    • Host: Select the Host you defined above.
    • Service: Change to NEW-RADIUS to match UDP `port 1812 set in the RADIUS App earlier.
    • Shared Secret: Enter the RADIUS Secret defined in the Okta RADIUS App earlier.
    • Version: Select RADIUS Ver 2.0.
    • Protocol: Select PAP.
    • Priority:1 is the default. Modify as needed when using multiple RADIUS servers.
    • Click OK.

  5. From the upper left corner menu, navigate to Global Properties > Advances > SecuRemote/SecuClient, check add_radius_groups, then click OK:

  6. Define the RADIUS user groups.

    Note: It is not necessary to define RADIUS user groups if there is no requirement to use that group as a Participant User Group.

    • From the upper left corner menu, navigate to New object > more object types > user > new user group.
    • Enter the name of the group in the following format: RAD_<group to which the RADIUS users belong>. Note: for older version the format might be different. Refer to your admin guide for details.

    • Make sure the group is empty. Click OK, then click Close.

Configure a policy to use RADIUS authentication

In this step, we'll describe the following two use cases:

Remote Access VPN client Example

  1. In the SmartConsole, edit the gateway object and select IPSec VPN:

  2. While editing the gateway object, select Link Selection in the IPSec VPN branch. If needed, also modify the gateway address to use the external gateway address.

  3. Select the VPN Clients > Office Mode branch and enable Allow Office Mode for all users using the default CP_default_Office_Mode_addresses_pool object:
  4. Navigate to VPN Clients > Authentication > Settings, then in the Single Authentication Clients Settings dialog, select RADIUS as the Authentication method and for Server, select the RADIUS server we created earlier. Click OK when done.

  5. Navigate to SECURITY POLICIESthen select Access Control. This displays Access Tools VPN Communities. Click VPN Communities. Double-click to open the RemoteAccess community, then click + (plus) to add the gateway.

  6. Click Participant User Groups and accept the default All Users.