Skip to content
Docs

Check Point Firewall VPN MFA Setup (R80/R81)

This guide describes how to configure Check Point Next Generation Firewalls to use Mideye Server as a RADIUS authentication source for Mobile Access and Remote Access VPN.

ComponentSupported versions
Check Point Security GatewayR80.x / R81.x
SmartConsoleR80.x / R81.x
Mideye Server5.x / 6.x

Prerequisites

Section titled “Prerequisites”
  • A running Mideye Server with RADIUS enabled (default UDP port 1812)
  • Check Point Security Gateway with Mobile Access or Remote Access VPN blade enabled
  • SmartConsole access to configure server objects and policies
  • Network connectivity between the Check Point gateway and Mideye Server on UDP port 1812

1. Create a host object for Mideye Server

Section titled “1. Create a host object for Mideye Server”

Create a host object in SmartConsole representing the server running Mideye Server.

  1. In SmartConsole, open the Object Explorer.
  2. Choose New → Host.

Add new host in SmartConsole Object Explorer

  1. Enter a descriptive name (e.g. mideye1.example.com) and set the IPv4 Address to the IP address where the Mideye Server RADIUS service is running.

Host configuration with name and IP address

  1. Click OK to save.

2. Create RADIUS server object

Section titled “2. Create RADIUS server object”
  1. In Object Explorer, choose New → More → Server → RADIUS.

Add new RADIUS server in Object Explorer

  1. Configure the RADIUS server object:

    • Name: enter a descriptive name (e.g. Mideye-RADIUS-1)
    • Host: select the host object created in step 1
    • Shared Secret: enter the shared secret that matches the Mideye Server RADIUS client configuration. If Mideye Server is not yet configured, choose a shared secret here and add it to Mideye Server later.
    • Version: select RADIUS Ver. 2.0
    • Protocol: set to PAP (required for Mideye RADIUS authentication)
    • Service: verify the service object matches the port Mideye Server is listening on (RADIUS standard port is UDP/1812)

  2. Click OK to save.

  3. Repeat if redundant Mideye Servers are used.

RADIUS server configuration with host, shared secret, version, and protocol

3. Create RADIUS server group

Section titled “3. Create RADIUS server group”

Check Point uses RADIUS server groups for high availability. Each server in the group is assigned a priority — if the highest-priority server fails, the next one takes over.

  1. In Object Explorer, choose New → More → Server → RADIUS Group.

Add new RADIUS server group

  1. Name the group (e.g. Mideye-RADIUS-Group) and add each Mideye RADIUS server. Set appropriate priorities if redundancy is configured.

RADIUS group with Mideye servers added

  1. Click OK to save.

4. Configure authentication method on gateway

Section titled “4. Configure authentication method on gateway”
  1. Open the Gateway or Gateway Cluster object in SmartConsole.
  2. Navigate to Mobile Access → Authentication.
  3. Under Multiple Authentication Clients Settings, click Add → New to create a new login option for Mideye RADIUS authentication.

Add new authentication method

  1. Set a display name (e.g. Mideye MFA) and add RADIUS as an authentication factor. Select the RADIUS Server Group created in step 3.

Configure authentication factor as RADIUS Select RADIUS server group for authentication

  1. Click OK and install the policy on the gateway.

5. Increase RADIUS timeout

Section titled “5. Increase RADIUS timeout”

The RADIUS timeout must be increased to allow enough time for MFA authentication (e.g. push notification approval or OTP entry).

  1. In SmartConsole, open Global Properties.

Open Global Properties

  1. Navigate to FireWall-1 → Authentication → RADIUS.
  2. Set radius_treant_num to 1.
  3. Set radius_retrant_timeout to 35.
  4. Click OK and install the policy on the gateway.

RADIUS timeout configuration in Global Properties

6. Add Check Point as a RADIUS client in Mideye Server

Section titled “6. Add Check Point as a RADIUS client in Mideye Server”

Add each Check Point gateway IP address as a RADIUS client in Mideye Server, using the same shared secret entered in the RADIUS server object (step 2).

See RADIUS Clients in the reference guide.

Troubleshooting

Section titled “Troubleshooting”
SymptomCheck
Authentication fails / times outVerify radius_retrant_timeout is set to 35 in Global Properties
No RADIUS logs in Mideye ServerVerify UDP port 1812 is open between the Check Point gateway and Mideye Server
Shared secret mismatchEnsure the secret in the RADIUS server object matches the Mideye RADIUS client configuration
Redundancy not workingVerify server priorities in the RADIUS server group — lower numbers have higher priority

Notes

Section titled “Notes”
  • Check Point uses UDP for RADIUS communication — ensure firewall rules allow UDP port 1812 (or your configured port) between Check Point and Mideye Server.
  • RADIUS server objects within a group can be prioritized — lower priority numbers indicate higher preference.
  • Both Mobile Access and Remote Access VPN blades support RADIUS authentication with Mideye.
Section titled “Related links”