topic VPN clients still using LDAP while RADIUS is configured in Endpoint

VPN clients still using LDAP while RADIUS is configured

AlainC — Fri, 28 Mar 2025 09:03:19 GMT

Hello,

I configured RADIUS between my CheckPoint Firewall and my Microsoft NPS. This is working fine, for example I can logon to Smartconsole with a user via RADIUS authentication. I checked the logs on the NPS, the account I use on the smartconsole login gets authenticated correctly via RADIUS.

In smartconsole, in gateway cluster properties, in VPN clients and in remote access, in authentication (single authentication client settings) I selected RADIUS (and the RADIUS server that is configured).

Just to be sure, in smartdashboard is added RADIUS in multiple authentication.

Also, in gateways in smartdashboard, it says: This gateway allows single authentication clients to connect using: RADIUS

But... when I connect my VPN user (88.62 vpn-client), it still uses LDAP. Something is forcing LDAP over the RADIUS properties I selected.

I've been looking for some time now but I don't seem to find why. I did not perform the setup of this firewall and I'm certainly no expert. Can somebody give me a (not too complex) hint?

Thanks

Re: VPN clients still using LDAP while RADIUS is configured

PhoneBoy — Fri, 28 Mar 2025 21:32:06 GMT

LDAP isn't used for authentication, it is used for authorization.
More specifically, it is used to retrieve groups for a given user.
This applies to both Remote Access and Identity Awareness.

Re: VPN clients still using LDAP while RADIUS is configured

the_rock — Fri, 28 Mar 2025 22:45:13 GMT

What Phoneboy said is 100% right...ldap is not used for authentication.

Andy

Re: VPN clients still using LDAP while RADIUS is configured

the_rock — Sat, 29 Mar 2025 18:41:24 GMT

Can you please send a screenshot of how that window is configured? I mean option for adding multiple auth methods...just blur out any sensitive data.

Andy

Re: VPN clients still using LDAP while RADIUS is configured

AlainC — Mon, 31 Mar 2025 08:24:39 GMT

I've also found a VPN_user template that can be set to radius (but is set to checkpoint password). I have no idea where/how this template is used or where it is configured to be used. Told you before, just an amateur on this subject.

@PhoneBoy thanks for the reply, but I don't have a clue what action I can perform based on that information

Re: VPN clients still using LDAP while RADIUS is configured

the_rock — Mon, 31 Mar 2025 10:50:20 GMT

I dont believe user template should matter much here, but auth order seems right to me. Do you have TAC case open for it?

Andy

Re: VPN clients still using LDAP while RADIUS is configured

PhoneBoy — Mon, 31 Mar 2025 16:08:08 GMT

Why are LDAP lookups done? Quite simple: you have LDAP Account Units defined.
With the exception of Azure/Entra ID users where the relevant groups are passed as part of the SAML Assertion (see https://support.checkpoint.com/results/sk/sk177267) or Internal Password users, an LDAP lookup is required to associate a given user to groups for the purposes of defining Access Roles for specific groups of users.
In other words, LDAP lookups are expected behavior in Remote Access configurations.

The only way to disable the LDAP lookups is to remove the LDAP Account Unit objects.
However, they are likely used for other purposes (i.e. Identity Awareness).

Re: VPN clients still using LDAP while RADIUS is configured

AlainC — Tue, 01 Apr 2025 08:09:30 GMT

Hello,

I'm not sure we're talking about the same thing...

It must be some simple detail somewhere...

Simplified Situation:

AD user xyz logs on to smartconsole. AD user xyz 's request to logon is directed to NPS and is seen in NPS (eventviewer).

The same AD user xyz logs on via Checkpoint VPN client. AD user xyz's logon request is not directed to NPS (nothing shows up in eventviewer).

Re: VPN clients still using LDAP while RADIUS is configured

AlainC — Tue, 01 Apr 2025 08:32:56 GMT

no case opened yet, I thought it would be a basic setting somewhere. I followed the procedure "Using RADIUS Authentication for Remote Access VPN" and had a little help from chatgpt. No luck 😞

Re: VPN clients still using LDAP while RADIUS is configured

PhoneBoy — Tue, 01 Apr 2025 14:44:27 GMT

It wasn't clear that the RADIUS part wasn't working.
You may need to delete/re-add the site on the VPN client if you change the authentication methods.

Re: VPN clients still using LDAP while RADIUS is configured

AlainC — Wed, 02 Apr 2025 07:10:39 GMT

FYI

I've opened a case -> reaction = since this is a new configuration, we don't give any support, we focus on resolving issues with existing configurations !!!! Really??!!

Re: VPN clients still using LDAP while RADIUS is configured

AlainC — Wed, 02 Apr 2025 07:19:24 GMT

I've deleted and re-added the site on a client but this doesn't help. I can see the request arriving directly into AD and not passing via Network Policy Server.

Re: VPN clients still using LDAP while RADIUS is configured

PhoneBoy — Wed, 02 Apr 2025 13:39:52 GMT

Are you using locally defined users?
If not, do you have an External User Profile defined in SmartDashboard?
If not, this is how you create it (and yes, I do mean legacy SmartDashboard):

Create this with the defaults:

Note if this profile exists in your environment, change the Authentication to Undefined.
Click the Save icon (upper left) in SmartDashboard, Publish and Install Policy in SmartConsole to relevant gateways.

Re: VPN clients still using LDAP while RADIUS is configured

AlainC — Thu, 03 Apr 2025 09:44:57 GMT

I've found the error I made!

I used the management server IP in NPS. I've put the correct IP (gateway). Now it works fine!

Sorry for the trouble!

Re: VPN clients still using LDAP while RADIUS is configured

the_rock — Thu, 03 Apr 2025 10:41:38 GMT

Good job!