topic Re: Identity Awareness - RADIUS Accounting mode in General Topics

Identity Awareness - RADIUS Accounting mode

Zdenek_Rottenbe — Mon, 16 Apr 2018 19:39:35 GMT

I performed testing of Identity Awareness in my lab (RADIUS Accounting mode only) and found some problems I am not able to explain. I would really appreciate any comments to the following:

- userAccountControl LDAP attribute is ignored by IA. If a user is locked out, it is allowed to access a network. Is this correct behaviour or I misconfigured something?

- the same thing happen when I tried to authorize user based on fw1user (objectClass) LDAP attributes.

- direct mapping of user/machine to group directly on CP firewall by issuing command 'pdp radius groups set -u 26 -a 1 -c 9 -d ","' does not work correctly in case several Vendor-Specific RADIUS AV pairs are included within RADIUS accounting-request. How can I correctly used the command to assign group membership if the following attributes comes to CP firewall within one accounting-request?

Cisco-AVPair = "ssid=ssid01"
Cisco-AVPair = "vlan-id=30"
Cisco-AVPair = "nas-location=unspecified"

I want to assign group membership based on the first AV pair.

Thank you very much for any comments.

In case somebody is interested, I included all my findings from the lab in attached document.

Best regards,

Re: Identity Awareness - RADIUS Accounting mode

PhoneBoy — Sat, 21 Apr 2018 05:03:05 GMT

Is the userAccountControl sent as part of the RADIUS Accounting request?

If it's not, then based on the fact you're attempting to fetch groups from the RADIUS accounting requests, it probably won't even see it.

Re: Identity Awareness - RADIUS Accounting mode

Zdenek_Rottenbe — Tue, 24 Apr 2018 15:40:16 GMT

Hi,

no, userAccountControl is LDAP attribute use to signalize a status of a user account (for example account is lockout, see more detail here: http://jackstromberg.com/2013/01/useraccountcontrol-attributeflag-values/). I would expect that when CP firewall receives RADIUS account-request with information about a username, it connects to LDAP database and check whether the user exists within LDAP database. This is usually done by initiating ldap search request towards a LDAP database. If user is found, the firewall also receives additional user attributes like userAccountControl or memberOf attributes, that can be used to further authorize a user. In case a user has lockout flag set, a CP firewall should not allow a user to access a network. That is my understanding. From my lab I know that userAccountControl attribute is ignored by CP firewall (or maybe I have misconfigured something). The same thing happens also when I tried to use Check Point ldap attributes like fw1day (see CP_R80.10_SecurityManagement_AdminGuide.pdf page 195). This attribute should control when a user can access a network. This attribute seems to be also ignored by CP firewall. So, the question is whether this should work or not.

Thank you very much for any help that you are able to provide.

Re: Identity Awareness - RADIUS Accounting mode

PhoneBoy — Tue, 24 Apr 2018 17:51:54 GMT

The RADIUS piece is used for authentication.

Authorization is, of course, a different matter.

As near as I can tell, we do not read the userAccountControl attribute.

However, we can create it when using UserDirectory (with a default setting).

I suppose it's possible to create a group where the userAccountControl attribute is set a particular way and create a rule denying access to that group.
However, not sure this is possible.