topic Re: Radius accounting identity awarenesss in General Topics

Radius accounting identity awarenesss

SAROU237 — Sun, 13 Dec 2020 18:09:22 GMT

Hello,

I have a question about radius accounting :

Is it correct ? I understand that Radius accouting client is the gateway which send a request to the radius accounting server to get identities?

But in the documentation they said that " Identity Awareness Gateway configured as a RADIUS Accounting server." why ?

Re: Radius accounting identity awarenesss

PhoneBoy — Sun, 13 Dec 2020 18:20:33 GMT

Can you quote the precise areas of documentation you’re seeing these two different explanations?

Generally, the request is initiated from the RADIUS server (not us) to the RADIUS Accounting Server (a properly-configured Check Point gateway).
This is how RADIUS Accounting works.

Re: Radius accounting identity awarenesss

SAROU237 — Sun, 13 Dec 2020 20:54:45 GMT

Why does the request is initiated from the radius server ?

Because this is the gateway which need the information of a user, so he should make the request to the server. I don't understand

Re: Radius accounting identity awarenesss

PhoneBoy — Sun, 13 Dec 2020 21:18:26 GMT

Because that’s just not how RADIUS Accounting works.
By the way, our integration with Active Directory (either AD Query or Identity Collector) fundamentally the same way: we “subscribe” to an identity source to find out about what users are associated with what IP addresses.
The gateway will perform an LDAP query to determine what groups the user is a member of to calculate the appropriate Access Roles for that user.
This way, at the time the user tries to do something through the gateway, we’ll know precisely what policy applies.

There isn’t a standards-based mechanism for either RADIUS or Active Directory that I’m aware of that allows anyone to query “what user is associated with this IP.”
Not to mention; you’d have to hold the connection while the lookup is performed, creating a performance issue for end users.

Re: Radius accounting identity awarenesss

Chris_Atkinson — Sun, 13 Dec 2020 21:35:39 GMT

If our Captive Portal is being used for web based authentication then Radius might be configured as the authentication server.

This is different to Radius accounting where the user has already been authenticated maybe by connecting to a separate Wi-Fi solution and the radius messages are being sent on to Check Point as a means of letting us know who is already logged in with what IP address.