Swivel can provide strong and two factor authentication to the Checkpoint Gaia. This document outlines the details required to carry this out.
Checkpoint Gaia appliance version R77.30.
Working Checkpoint, smart console
Note that modifications to the Connectra login page will affect ALL users (but not the administration page).
Use of the TURing, Security String Index or SMS Confirmed message will require the use of a NAT.
When a Swivel appliance VIP is used, the real IP address should be used and not the VIP. For redundancy select Primary and Secondary RADIUS servers, see VIP on PINsafe Appliances.
Enabling RADIUS Authentication in Gaia¶
You need to configure Swivel as an authentication server on the Gaia appliance.
- Open Smart Dashboard and log in.
- Under Network and Resources -> Hosts, configure the Swivel server as a new host. You just need to give it a name and add the IP address.
- Under Users and Authentication -> Authentication -> RADIUS Servers, create a new RADIUS server. Select Swivel as the host, “NEW-RADIUS” as the service, and enter the shared secret you previously set on the Swivel server. You can select RADIUS version 1 or 2, and PAP or MSChap as the protocol: Swivel will detect these protocols automatically. Note: When a Swivel appliance VIP is used, the real IP address should be used and not the VIP. For redundancy select Primary and Secondary RADIUS servers, see VIP on PINsafe Appliances.
You will also need to configure authentication for the relevant users. The simplest way to handle this is to create a new user group containing all users that will be using Swivel (if you do not already have one):
- Go to Users and Authentication -> Internal Users -> User Groups.
- Then under User Templates, create a new template, or modify an existing one, containing the relevant group, and set the authentication to RADIUS, using the Swivel server.
Don’t forget to save and install the policy once you have made all relevant changes.
Customising the Gaia Login Page¶
Enabling RADIUS Authentication in Connectra¶
NOTE: it is assumed here that you are familiar with Unix commands, in particular with the vi editor, as you will need to edit a file.
NOTE: There is an example LoginPage.php available which is the Login.php file with the modifications already included. This can be used for reference but may not be 100% suitable for specific installations and different Gaia versions.
Test the RADIUS authentication¶
At this stage it should be possible to authenticate by SMS, hardware Token, Mobile Phone Client and Taskbar to verify that the RADIUS authentication is working for users. Browse to the SSL VPN login page, and enter Username and if being used, the password. From the Swivel Administration console select User Administration and the required user then View Strings, and select an appropriate authentication string or OTC for the user. At the SSL VPN login enter the required OTC. Check the Swivel logs for a RADIUS success or rejected message. If no RADIUS message is seen, check that the Swivel RADIUS server is started and that the correct ports are being used.
On the Swivel Administration console configure the RADIUS Server and NAS, see RADIUS Configuration
Login to the Connectra¶
Configuring the RADIUS server¶
To modify the Connectra login page, you need to log into the console, either physically on the appliance, or using a SSH terminal server such as Putty see PuTTY How To Guide. Switch into expert mode.
Enabling Session creation with username¶
To allow the TURing image, Pinpad and other single channel images, under Server/Single Channel set Allow session request by username to Yes.
Setting up Swivel Dual Channel Transports¶
With the changes in place, when a user accesses the Gaia portal the will see the modified login page.
After entering their username and either tabbing away from the username field of clicking the TURing button they will be presented with a TURing image. The PINsafe log should record a session start for that user.
The user can then use their PIN to extract their one-time code and enter this to authenticate. The PINsafe log show record the RADIUS dialogue associated with this authentication.
Check the Swivel logs for Turing images and RADIUS requests.
For assistance in the Swivel Secure installation and configuration please firstly contact your reseller and then email Swivel Secure support at firstname.lastname@example.org