IDM integration with Check Point

Matlu — Wed, 29 Oct 2025 22:29:39 GMT

Hello.
I have a Redhat IDM, which basically performs “identity management,” and we want to use this product to authenticate remote VPN connection users on our Check Point virtual firewall (VS).
Is it possible, or rather, is it compatible to integrate this product with Check Point?
Can the product be integrated with LDAP or RADIUS?
We have an MDS and VSX environment in version R81.20.
Thank you for your comments.

Re: IDM integration with Check Point

the_rock — Wed, 29 Oct 2025 23:40:57 GMT

Hey bro,

AI says it can be, but who knows, I would still verify with TAC.

****************************************

Short answer: Yes — Red Hat IdM (FreeIPA) can be integrated with Check Point R81.20 VS/VSX for VPN user authentication.
You have two practical options that Check Point supports: LDAP/LDAPS (directly against IdM’s LDAP directory) or RADIUS (Check Point authenticates to a RADIUS server, and that RADIUS server is backed by IdM/FreeIPA). Both approaches are commonly used; which is best depends on your needs (group-sync, MFA, OTP, logging, client support). (support.checkpoint.com)

Below is a compact comparison and a practical checklist + gotchas to help you plan.

1) LDAP (direct) — simplest for user lookups

What it does

Check Point queries IdM over LDAP/LDAPS to authenticate users or to read group membership (you can bind as the user or do a service bind and check credentials depending on method).
When to use
When you only need username/password verification and group lookups from IdM (e.g., to map users to VPN communities).
How to configure (high level)
In SmartConsole: add a User Directory / LDAP object pointing to your IdM servers. Use LDAPS (TCP 636) or LDAP+STARTTLS — do not use plaintext LDAP in production. Configure Base DN, Bind DN (service account) or allow bind-as-user depending on method the appliance supports. Map the group attribute used by IdM. Test with the SmartConsole test button. (support.checkpoint.com)
Pros / Cons
- Simpler (no extra box).
− Some Check Point Identity Awareness features are AD-focused (AD event log queries & agent-based mappings); LDAP-only backends may not provide the same IP↔user mapping features as AD-based Identity Awareness. If you need deep Identity Awareness (clientless AD log parsing, WMI queries, AD events), expect limitations. (sc1.checkpoint.com)

2) RADIUS (recommended if you want MFA, OTP, or an authentication proxy)

What it does

Check Point talks RADIUS to a RADIUS server (FreeRADIUS, Duo RADIUS proxy, Okta RADIUS, etc.). That RADIUS server in turn authenticates users against IdM (either via LDAP/SSSD/PAM or via FreeIPA-specific integrations). This is the most flexible approach for adding MFA/OTP later. (support.checkpoint.com)
When to use
If you want to add 2FA/MFA, use OTP tokens, or decouple Check Point from directory schema changes. Also useful if multiple directories or third-party MFA need to be combined.
How to configure (high level)

Install/configure FreeRADIUS (or other RADIUS) and configure Check Point gateway(s) as RADIUS clients (shared secret, IP, ports 1812/1813). Check Point has SKs describing how to configure RADIUS clients/attributes. (support.checkpoint.com)
Configure FreeRADIUS to authenticate against FreeIPA/IdM. Common methods: LDAP module (query FreeIPA LDAP), PAM module (sssd/pam), or use FreeIPA’s documented FreeRADIUS integration / OTP support. There are FreeIPA guides showing how to integrate with FreeRADIUS for OTP and password authentication. (freeipa.org)
In SmartConsole, create a RADIUS server object and set your VPN Authentication to use that RADIUS server (and map groups/attributes if needed). Test end-to-end. (support.checkpoint.com)
Pros / Cons

- Flexible: easy to add MFA, per-service policies, logging, failover.
− Requires running and securing an extra server (FreeRADIUS), but that gives more control.

Practical recommendations & gotchas

Use LDAPS (TLS) whenever possible. If you use LDAP binds, use a service account and LDAPS. FreeIPA provides certs and supports LDAPS. (Red Hat Docs)
Test group-to-community mapping. Make sure the attribute/structure used by IdM for groups is what Check Point expects (you may need to adjust Base DN or group filter). (support.checkpoint.com)
Identity Awareness differences. Check Point’s Identity Awareness functionality is most feature-complete for Active Directory. If you rely on AD-only features (clientless identity from Windows event logs, WMI queries), those may not work with FreeIPA/IdM. Plan on limited IP↔user mapping unless you add supplementary solutions. (sc1.checkpoint.com)
RADIUS attributes and dictionaries. If you use FreeRADIUS, copy Check Point’s RADIUS dictionary into FreeRADIUS so that accounting/attributes are handled properly. Check Point SKs cover the specifics. (support.checkpoint.com)
MDS / VSX note: In an MDS environment, make sure the authentication object(s) are configured in the correct domain and that policies are pushed to the relevant VS/VSX instances. Authentication config is per-gateway / per-domain scope in SmartConsole. (sc1.checkpoint.com)
High availability: If you use LDAP directly, point Check Point at multiple IdM replicas and use LDAPS; if using RADIUS, deploy redundant RADIUS servers and configure multiple RADIUS server objects in SmartConsole.

Useful references (to follow step-by-step)

Check Point SK — LDAP config for Remote Access VPN (how to add LDAP user directory & test). (support.checkpoint.com)
Check Point SK — How to configure RADIUS on Gaia / FreeRADIUS tips. (support.checkpoint.com)
Check Point Identity Awareness / Admin Guide (notes on AD vs other directories and what features expect AD). (sc1.checkpoint.com)
FreeIPA / FreeRADIUS how-tos (examples of using FreeIPA with FreeRADIUS for OTP and RADIUS-based authentication). (freeipa.org)