topic Re: R81.20 Browser-Based Authentication with RADIUS – “Bad username or password” in Firewall and Security Management

R81.20 Browser-Based Authentication with RADIUS – “Bad username or password”

abutayyab — Fri, 02 Jan 2026 16:32:41 GMT

Hey all,

I have a Check Point R81.20 (JHF 119) Security Gateway deployed on an Open Server for a customer. The customer is looking to implement Browser-Based Authentication (Captive Portal) for known users, with FreeRADIUS as the backend authentication source. The FreeRADIUS server is running on Ubuntu 24.04, and users are defined locally with Cleartext-Password entries.

I have followed the R81.20 Identity Awareness Admin Guide to configure Browser-Based Authentication using RADIUS. However, when a user attempts to authenticate via the Captive Portal, I consistently see “Bad username or password” events in SmartView Logs.

The key observation is that no RADIUS Access-Request packets are sent from the gateway:

- tcpdump on the gateway (any interface, port 1812) shows no outbound RADIUS traffic
- No packet drops are observed on the gateway
- This suggests the authentication failure is occurring locally on the gateway before RADIUS is invoked

Below are the relevant configuration snippets from the Check Point gateway (Browser-Based Authentication settings, RADIUS server object, and Access Control rule).

Authentication SettingsPortal SettingsFreeradius object

I would appreciate any help in this regard:

- Any known R81.20 caveats or prerequisites specific to Browser-Based Authentication with RADIUS?
- Is there a built-in CLI tool to test RADIUS authentication from the gateway, similar to test_ad_connectivity.sh for AD?

Thanks in advance for your help.

Regards,
Abdul Tayyeb R.

Re: R81.20 Browser-Based Authentication with RADIUS – “Bad username or password”

the_rock — Fri, 02 Jan 2026 16:43:22 GMT

Under accessibility settings, is it set to all interfaces or only internal?

Re: R81.20 Browser-Based Authentication with RADIUS – “Bad username or password”

the_rock — Fri, 02 Jan 2026 17:04:43 GMT

@abutayyab I was referring to below.

Re: R81.20 Browser-Based Authentication with RADIUS – “Bad username or password”

abutayyab — Fri, 02 Jan 2026 18:42:10 GMT

It's set to "Through internal interfaces". The captive portal is accessible. Had there been some issue with accessibility settings, the captive portal itself wouldn't have shown up in that case.

Re: R81.20 Browser-Based Authentication with RADIUS – “Bad username or password”

the_rock — Fri, 02 Jan 2026 18:43:25 GMT

True, makes sense. So you dont see anything on port 1812 outbound at all?

Re: R81.20 Browser-Based Authentication with RADIUS – “Bad username or password”

Lesley — Fri, 02 Jan 2026 19:52:53 GMT

You need to configure where the fw has to look for the users. No options are selected user directories

User Directories - Select one or more places where the Security Gateway searches to find users when they try to authenticate.
- Internal users - The directory of internal users.
- LDAP users - The directory of LDAP users. Either:
  - Any - Users from all LDAP servers.
  - Specific - Users from an LDAP server that you select.
- External user profiles - The directory of users who have external user profiles.

Re: R81.20 Browser-Based Authentication with RADIUS – “Bad username or password”

the_rock — Fri, 02 Jan 2026 20:00:11 GMT

Totally valid point...I missed that from the screenshots, but its 100% required.

Re: R81.20 Browser-Based Authentication with RADIUS – “Bad username or password”

abutayyab — Sat, 03 Jan 2026 01:34:45 GMT

I have already selected "External user profiles". Do I need to select something else here? While troubleshooting the issue, I had selected all 3 directory options hoping to resolve the issue, but then I ended up getting a different error as mentioned below:

"An error was detected while trying to authenticate against the AD server. It may be a problem of bad configuration or connectivity. Please refer to the troubleshooting guide for more help"

Re: R81.20 Browser-Based Authentication with RADIUS – “Bad username or password”

the_rock — Sat, 03 Jan 2026 01:47:56 GMT

That could be AD server issue...any relevant logs there?

Re: R81.20 Browser-Based Authentication with RADIUS – “Bad username or password”

Lesley — Sat, 03 Jan 2026 11:51:24 GMT

Does your LDAP account unit work correctly? Able to fetch finger print? Do you see identities in the firewall logs? Able to search LDAP groups and use them in the rulebase from SmartConsole? I would use LDAP users instead of External

Re: R81.20 Browser-Based Authentication with RADIUS – “Bad username or password”

abutayyab — Sat, 03 Jan 2026 16:33:12 GMT

There is NO LDAP server in the network. There's only one RADIUS server that has users/contractors defined. And I want these users to be authenticated before they're given Internet access. Is something wrong with my setup?

Re: R81.20 Browser-Based Authentication with RADIUS – “Bad username or password”

Vincent_Bacher — Sat, 03 Jan 2026 19:28:12 GMT

Yes. LDAP users are enabled but no LDAP directory exists. With Browser-Based Authentication the gateway must first resolve the user in a selected directory before RADIUS is used. Since LDAP lookup fails, authentication stops locally and never reaches RADIUS. Disable LDAP users and use Internal Users or External User Profiles that authenticate via RADIUS.

Re: R81.20 Browser-Based Authentication with RADIUS – “Bad username or password”

the_rock — Sat, 03 Jan 2026 20:03:55 GMT

Makes perfect sense!