https://community.checkpoint.com/t5/SASE-and-Remote-Access/White-Paper-Using-RADIUS-Authentication-for-Remote-Access-VPN/m-p/58763#M12253 <P>I followed this document to the "T" and in R80.30 the generic* user is not being honored by the gateway.&nbsp; Has anyone seen this issue? Is it a known issue?&nbsp;&nbsp;</P><P>&nbsp;</P><P>In prior versions when a user tried to log in, given that the add_radius_groups was set to "true", the user group associated to generic* would be sent to the radius server as part of the login request. Now I am simply getting a "user doesn't belong to remote access community error" and when i hard code the "Authentication" on the gateway to user Radius the user is not able to log in either because the attributes are not being sent along.&nbsp; The same behavior i seen in lab I'm seeing at customer site.</P><P>&nbsp;</P><P>LAB SO DOESN"T MATTER IP ADDRESSES ARE NOT SANITIZED:</P><P>&nbsp;</P><P>19:27:51.323746 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 155) 192.168.50.1.49472 &gt; 192.168.50.55.1812: RADIUS, length: 127<BR />Access Request (1), id: 0x18, Authenticator: 34025483c7e43062d12e3846302ff6c9<BR />Username Attribute (1), length: 13, Value: jconcepcion<BR />0x0000: 6a63 6f6e 6365 7063 696f 6e<BR />Vendor Specific Attribute (26), length: 24, Value: Vendor: Microsoft (311) [|radius]<BR />0x0000: 0000 0137 0b12 7cc3 4ddb 54df 1535 4a37<BR />0x0010: b076 a4 [|radius]<BR />19:27:51.503001 IP (tos 0x0, ttl 128, id 24824, offset 0, flags [DF], proto: UDP (17), length: 70) 192.168.50.55.1812 &gt; 192.168.50.1.49472: [udp sum ok] RADIUS, length: 42<BR />Access Reject (3), id: 0x18, Authenticator: 3afb744dbb91ca21d1c38dff25e5af66<BR />Vendor Specific Attribute (26), length: 22, Value: Vendor: Microsoft (311)<BR />Vendor Attribute: 2, Length: 14, Value: .E=649 R=0 V=3<BR />0x0000: 0000 0137 0210 0045 3d36 3439 2052 3d30<BR />0x0010: 2056 3d33<BR />19:31:15.985985 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 91) 192.168.50.1.35094 &gt; 192.168.50.55.1812: RADIUS, length: 63<BR />Access Request (1), id: 0x19, Authenticator: 76309a24680ac47f73e0cfb13c9450fd<BR />Username Attribute (1), length: 13, Value: jconcepcion<BR />0x0000: 6a63 6f6e 6365 7063 696f 6e<BR />Password Attribute (2), length: 18, Value:<BR />0x0000: 8a11 5436 8b6f 29c1 c75c 13cb c26f 63d4<BR />Service Type Attribute (6), length: 6, Value: [|radius]<BR />0x0000: 00 [|radius]<BR />19:31:15.989658 IP (tos 0x0, ttl 128, id 6831, offset 0, flags [DF], proto: UDP (17), length: 48) 192.168.50.55.1812 &gt; 192.168.50.1.35094: [udp sum ok] RADIUS, length: 20<BR />Access Reject (3), id: 0x19, Authenticator: 1c66bf4f6ab54a90323b40cd0a474f9d</P> Tue, 23 Jul 2019 02:05:50 GMT Juan_Concepcion 2019-07-23T02:05:50Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/White-Paper-Using-RADIUS-Authentication-for-Remote-Access-VPN/m-p/53659#M12252 <H3>Author</H3> <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/4095">@Samuel_Shiflett</a>&nbsp;</P> <H3>Abstract:</H3> <P>This guide will show step by step instructions for configuring Remote Access VPN to utilize RADIUS authentication. There is also an appendix that includes instructions for integrating DUO MFA with a Check Point Remote Access Gateway.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>For the full list of White Papers, <A href="https://community.checkpoint.com/t5/General-Topics/White-Papers-Publishing-Project/m-p/53242#M10603" target="_blank">go here</A>.&nbsp;</P> <P>&nbsp;</P> Mon, 08 Jul 2019 13:00:25 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/White-Paper-Using-RADIUS-Authentication-for-Remote-Access-VPN/m-p/53659#M12252 _Val_ 2019-07-08T13:00:25Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/White-Paper-Using-RADIUS-Authentication-for-Remote-Access-VPN/m-p/58763#M12253 <P>I followed this document to the "T" and in R80.30 the generic* user is not being honored by the gateway.&nbsp; Has anyone seen this issue? Is it a known issue?&nbsp;&nbsp;</P><P>&nbsp;</P><P>In prior versions when a user tried to log in, given that the add_radius_groups was set to "true", the user group associated to generic* would be sent to the radius server as part of the login request. Now I am simply getting a "user doesn't belong to remote access community error" and when i hard code the "Authentication" on the gateway to user Radius the user is not able to log in either because the attributes are not being sent along.&nbsp; The same behavior i seen in lab I'm seeing at customer site.</P><P>&nbsp;</P><P>LAB SO DOESN"T MATTER IP ADDRESSES ARE NOT SANITIZED:</P><P>&nbsp;</P><P>19:27:51.323746 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 155) 192.168.50.1.49472 &gt; 192.168.50.55.1812: RADIUS, length: 127<BR />Access Request (1), id: 0x18, Authenticator: 34025483c7e43062d12e3846302ff6c9<BR />Username Attribute (1), length: 13, Value: jconcepcion<BR />0x0000: 6a63 6f6e 6365 7063 696f 6e<BR />Vendor Specific Attribute (26), length: 24, Value: Vendor: Microsoft (311) [|radius]<BR />0x0000: 0000 0137 0b12 7cc3 4ddb 54df 1535 4a37<BR />0x0010: b076 a4 [|radius]<BR />19:27:51.503001 IP (tos 0x0, ttl 128, id 24824, offset 0, flags [DF], proto: UDP (17), length: 70) 192.168.50.55.1812 &gt; 192.168.50.1.49472: [udp sum ok] RADIUS, length: 42<BR />Access Reject (3), id: 0x18, Authenticator: 3afb744dbb91ca21d1c38dff25e5af66<BR />Vendor Specific Attribute (26), length: 22, Value: Vendor: Microsoft (311)<BR />Vendor Attribute: 2, Length: 14, Value: .E=649 R=0 V=3<BR />0x0000: 0000 0137 0210 0045 3d36 3439 2052 3d30<BR />0x0010: 2056 3d33<BR />19:31:15.985985 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 91) 192.168.50.1.35094 &gt; 192.168.50.55.1812: RADIUS, length: 63<BR />Access Request (1), id: 0x19, Authenticator: 76309a24680ac47f73e0cfb13c9450fd<BR />Username Attribute (1), length: 13, Value: jconcepcion<BR />0x0000: 6a63 6f6e 6365 7063 696f 6e<BR />Password Attribute (2), length: 18, Value:<BR />0x0000: 8a11 5436 8b6f 29c1 c75c 13cb c26f 63d4<BR />Service Type Attribute (6), length: 6, Value: [|radius]<BR />0x0000: 00 [|radius]<BR />19:31:15.989658 IP (tos 0x0, ttl 128, id 6831, offset 0, flags [DF], proto: UDP (17), length: 48) 192.168.50.55.1812 &gt; 192.168.50.1.35094: [udp sum ok] RADIUS, length: 20<BR />Access Reject (3), id: 0x19, Authenticator: 1c66bf4f6ab54a90323b40cd0a474f9d</P> Tue, 23 Jul 2019 02:05:50 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/White-Paper-Using-RADIUS-Authentication-for-Remote-Access-VPN/m-p/58763#M12253 Juan_Concepcion 2019-07-23T02:05:50Z