topic Re: Identity Awareness not authentic user through identity agent with Radius in Firewall and Security Management

Identity Awareness not authentic user through identity agent with Radius

FrankXie — Fri, 15 Jul 2022 01:59:31 GMT

Hello Expert

I am trying to setup identity awareness in my environment. But somehow I found my secureGateway never send radius authentication to my configured authentication server.

I always get this error

An error was detected while trying to authenticate against the AD server.
It may be a problem of bad configuration or connectivity.
Please refer to the troubleshooting guide for more help

Turning on pdp debug I can only find [15 Jul 13:40:34] [RADIUS (TD::Events)] pdp::PDPRadiusManager::~PDPRadiusManager: enter d'tor about radius.

TCPDUMP can't capture any packet with filter "port 1812".

Any idea?

Thanks

Frank

Re: Identity Awareness not authentic user through identity agent with Radius

Chris_Atkinson — Fri, 15 Jul 2022 08:13:02 GMT

Can you describe the flow in more detail?

Typically Identity Awareness integration based on Radius would be looking at Radius Accounting 1813.

Re: Identity Awareness not authentic user through identity agent with Radius

FrankXie — Fri, 15 Jul 2022 08:51:40 GMT

Thanks Chris

The first flow is download identity agent through portal after authenticate through ldap server which works fine and I also think it is not relevant.

Second flow is getting identity information through connecting identity agent. It is using user name and password authentication through radius server. Actually I am quite understand how this works because I don’t know there’s any group information in radius response. Anyway I got that error message and with pdp debug I can see it querying ad server but not sending authentication. Would it because my test account not in any ad server? And does it mean pdp query ad server to get identity information before sending radius authentication?

Cheers

Frank

Re: Identity Awareness not authentic user through identity agent with Radius

Chris_Atkinson — Fri, 15 Jul 2022 14:09:35 GMT

The relationship between the User Directories & Authentication is referenced in the admin guide, the user has to exist somewhere in a repository before it is authenticated.

Refer: Authentication Settings > User Directories

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topics-IDAG/Configuring-Identity-Agents-Configuring-Identity-Agents-in-SmartConsole.htm

Re: Identity Awareness not authentic user through identity agent with Radius

FrankXie — Sun, 17 Jul 2022 21:17:07 GMT

Thanks Chris

This make sense.

Just one problem, I am not able to specific user directory in IA authentication setting, no +/-. BTW, my firewall and smartconsole are version 81.10

Re: Identity Awareness not authentic user through identity agent with Radius

Chris_Atkinson — Mon, 18 Jul 2022 01:53:29 GMT

If you have the user directories such as an LDAP Account Unit already defined it should allow you to select it, if you need specific configuration for this gateway/cluster versus global. With that said their does appear to be a glitch in the UI when comparing the screens below as the +/- buttons aren't shown. Please report this to TAC if it's critical for your setup and I will also follow-up internally.

Identity Agent

Browser Based

Re: Identity Awareness not authentic user through identity agent with Radius

Chris_Atkinson — Tue, 19 Jul 2022 23:26:16 GMT

Check the Windows magnification level is not different than 100% [Display > Scale and layout] and it should work around the UI glitch in the interim.

Re: Identity Awareness not authentic user through identity agent with Radius

FrankXie — Tue, 19 Jul 2022 20:54:54 GMT

Thanks Chris

Sorry for the late reply.

I am talking about identity agent authentication.

Change display scale not help. 😞

Re: Identity Awareness not authentic user through identity agent with Radius

Chris_Atkinson — Wed, 20 Jul 2022 06:25:36 GMT

Did you relaunch the application after changing the scale setting? (It corrected the issue in my testing).

If the issue persists and or the "All Gateways Directories" option isn't suitable in your case please contact TAC.

Re: Identity Awareness not authentic user through identity agent with Radius

FrankXie — Wed, 20 Jul 2022 07:16:07 GMT

you absolutely right, relaunch application after changing display scale +/- shows. Thanks a lot, you really a expert.