https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-RADIUS-Groups-RAD-lt-Group-gt-to-Assign-Permissions/m-p/123794#M8317 <P>Hi,<BR /><BR />(The whole post is attached as pdf for readability purpose)</P><P>Any idea on what goes wrong?</P><UL><LI>Run on R80.40 VSX,</LI><LI>Client is Endpoint Security VE84.70 Build 986200225 (MACOS)</LI><LI>Radius authentication to NPS Windows Server 2012R2<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Radius.jpg" style="width: 151px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12541i31B7883BD5077E59/image-size/large?v=v2&amp;px=999" role="button" title="Radius.jpg" alt="Radius.jpg" /></span><BR /><BR /></LI><LI>Configuration according to attached Checkpoint documentation (Radius authentication – Compatibility Mode)</LI><LI>2 accesss roles , matching 2 Policy Groups defined on the Radius/NPS server<BR />1 access role, matching “any user"<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="denvin_1-1626255488760.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12537i45F41A1800D00D89/image-size/medium?v=v2&amp;px=400" role="button" title="denvin_1-1626255488760.png" alt="denvin_1-1626255488760.png" /></span><P>&nbsp;</P></LI><LI>vpnd.elg shows 3 radisu update for user groups attr. 26. None of them are known by the db<BR /><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><BR /><FONT size="2">3217 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_by_reply: calling handler<STRONG> for attr 26.</STRONG></FONT><BR /><FONT size="2">3218 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): start. do_radgroups=1</FONT><BR /><FONT size="2">3219 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): Looking for group RAD_ S=83DEE04C8210C8AEBEB06357B72B078848BE87DC in db</FONT><BR /><FONT size="2">3220 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): group RAD_ S=83DEE04C8210C8AEBEB06357B72B078848BE87DC not found in db</FONT><BR /><FONT size="2">3221 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups: didn't add group [RAD_ S=83DEE04C8210C8AEBEB06357B72B078848BE87DC]</FONT><BR /><FONT size="2">3222 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): Looking for group RAD_€yUŽŠôpF,6Þä{?*_EXhùót)06`"8Æ@¾ in db</FONT><BR /><FONT size="2">3223 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): group RAD_€yUŽŠôpF,6Þä{?*_EXhùót)06`"8Æ@¾ not found in db</FONT><BR /><FONT size="2">3224 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups: didn't add group [RAD_€yUŽŠôpF,6Þä{?*_EXhùót)06`"8Æ@¾]</FONT><BR /><FONT size="2">3225 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): Looking for group RAD_€zÈ«+®N…–â…ËÆ莙j°iÕé3Óz†#m$Ôå¡® in db</FONT><BR /><FONT size="2">3226 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): group RAD_€zÈ«+®N…–â…ËÆ莙j°iÕé3Óz†#m$Ôå¡® not found in db</FONT><BR /><FONT size="2">3227 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups: didn't add group [RAD_€zÈ«+®N…–â…ËÆ莙j°iÕé3Óz†#m$Ôå¡®]</FONT><BR /><FONT size="2">3228 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_callback(au=947d980): daemon: other, login info: valid, server object: valid, src_ip: 0</FONT></LI></UL><P>&nbsp;</P><UL><LI>Log shows:<BR /><BR />Source User Group: All Users<BR />Roles :&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; AccessRole_AllUsers<BR /><BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Log shows.jpg" style="width: 297px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12538i77869AB1464446C3/image-size/large?v=v2&amp;px=999" role="button" title="Log shows.jpg" alt="Log shows.jpg" /></span><P>&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV></LI></UL><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><UL><LI>Only rule 17 is matched<BR /><P>&nbsp;</P></LI></UL><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Only rule 17.jpg" style="width: 698px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12540i91FAAD8C9D5B2C04/image-size/large?v=v2&amp;px=999" role="button" title="Only rule 17.jpg" alt="Only rule 17.jpg" /></span><BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><P>I will be happy to read your suggestions and/or comments</P><P>&nbsp;</P><P>Best Regards</P> Wed, 14 Jul 2021 11:13:39 GMT DVI 2021-07-14T11:13:39Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-RADIUS-Groups-RAD-lt-Group-gt-to-Assign-Permissions/m-p/123794#M8317 <P>Hi,<BR /><BR />(The whole post is attached as pdf for readability purpose)</P><P>Any idea on what goes wrong?</P><UL><LI>Run on R80.40 VSX,</LI><LI>Client is Endpoint Security VE84.70 Build 986200225 (MACOS)</LI><LI>Radius authentication to NPS Windows Server 2012R2<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Radius.jpg" style="width: 151px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12541i31B7883BD5077E59/image-size/large?v=v2&amp;px=999" role="button" title="Radius.jpg" alt="Radius.jpg" /></span><BR /><BR /></LI><LI>Configuration according to attached Checkpoint documentation (Radius authentication – Compatibility Mode)</LI><LI>2 accesss roles , matching 2 Policy Groups defined on the Radius/NPS server<BR />1 access role, matching “any user"<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="denvin_1-1626255488760.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12537i45F41A1800D00D89/image-size/medium?v=v2&amp;px=400" role="button" title="denvin_1-1626255488760.png" alt="denvin_1-1626255488760.png" /></span><P>&nbsp;</P></LI><LI>vpnd.elg shows 3 radisu update for user groups attr. 26. None of them are known by the db<BR /><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><BR /><FONT size="2">3217 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_by_reply: calling handler<STRONG> for attr 26.</STRONG></FONT><BR /><FONT size="2">3218 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): start. do_radgroups=1</FONT><BR /><FONT size="2">3219 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): Looking for group RAD_ S=83DEE04C8210C8AEBEB06357B72B078848BE87DC in db</FONT><BR /><FONT size="2">3220 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): group RAD_ S=83DEE04C8210C8AEBEB06357B72B078848BE87DC not found in db</FONT><BR /><FONT size="2">3221 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups: didn't add group [RAD_ S=83DEE04C8210C8AEBEB06357B72B078848BE87DC]</FONT><BR /><FONT size="2">3222 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): Looking for group RAD_€yUŽŠôpF,6Þä{?*_EXhùót)06`"8Æ@¾ in db</FONT><BR /><FONT size="2">3223 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): group RAD_€yUŽŠôpF,6Þä{?*_EXhùót)06`"8Æ@¾ not found in db</FONT><BR /><FONT size="2">3224 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups: didn't add group [RAD_€yUŽŠôpF,6Þä{?*_EXhùót)06`"8Æ@¾]</FONT><BR /><FONT size="2">3225 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): Looking for group RAD_€zÈ«+®N…–â…ËÆ莙j°iÕé3Óz†#m$Ôå¡® in db</FONT><BR /><FONT size="2">3226 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): group RAD_€zÈ«+®N…–â…ËÆ莙j°iÕé3Óz†#m$Ôå¡® not found in db</FONT><BR /><FONT size="2">3227 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups: didn't add group [RAD_€zÈ«+®N…–â…ËÆ莙j°iÕé3Óz†#m$Ôå¡®]</FONT><BR /><FONT size="2">3228 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_callback(au=947d980): daemon: other, login info: valid, server object: valid, src_ip: 0</FONT></LI></UL><P>&nbsp;</P><UL><LI>Log shows:<BR /><BR />Source User Group: All Users<BR />Roles :&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; AccessRole_AllUsers<BR /><BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Log shows.jpg" style="width: 297px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12538i77869AB1464446C3/image-size/large?v=v2&amp;px=999" role="button" title="Log shows.jpg" alt="Log shows.jpg" /></span><P>&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV></LI></UL><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><UL><LI>Only rule 17 is matched<BR /><P>&nbsp;</P></LI></UL><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Only rule 17.jpg" style="width: 698px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12540i91FAAD8C9D5B2C04/image-size/large?v=v2&amp;px=999" role="button" title="Only rule 17.jpg" alt="Only rule 17.jpg" /></span><BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><P>I will be happy to read your suggestions and/or comments</P><P>&nbsp;</P><P>Best Regards</P> Wed, 14 Jul 2021 11:13:39 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-RADIUS-Groups-RAD-lt-Group-gt-to-Assign-Permissions/m-p/123794#M8317 DVI 2021-07-14T11:13:39Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-RADIUS-Groups-RAD-lt-Group-gt-to-Assign-Permissions/m-p/124211#M8318 <P>Groups in Access Roles come from LDAP, not RADIUS.<BR />Do you have LDAP configured at all?</P> Fri, 16 Jul 2021 19:37:12 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-RADIUS-Groups-RAD-lt-Group-gt-to-Assign-Permissions/m-p/124211#M8318 PhoneBoy 2021-07-16T19:37:12Z