topic 1570r Hotspot integration with Radius auth in Spark Firewall (SMB)

1570r Hotspot integration with Radius auth

Tim_Tielens — Tue, 14 Sep 2021 10:53:33 GMT

Hello,

I'm trying to integrate hotspot authentication on a 1570r running R80.20.30 with a MS Radius server on an MDS enviroment.
But I can't find the details about how the NPS policy should look, or how the 1570r will do authentication to that Radius.

Is the 1570r forwarding the request over the mgmt ip over port 1812 ?
Or is the client (connected to the wifi) forwarding the request ?

How should the NPS policy be setup ?

Is there more cli config needed to force the hotspot to use radius auth ?

I've read:
sk60301
sk60501
sk106133
Configuring a Hotspot (checkpoint.com)
SMB R80.20 1500 Appliance CLI Guide R80.20 Technical Reference Guide (checkpoint.com)

But can't find anything specific...

we use an MDS with a Global LDAP object defined.
(Enabling AD query on the 1570r does not work either, hotspot login fails)
Radius authentication for Wifi does work and also for the WebUI this works.

Maybe someone can point me in the right direction ?

Thx in advance

Re: 1570r Hotspot integration with Radius auth

G_W_Albrecht — Tue, 14 Sep 2021 10:43:27 GMT

See Quantum Spark 1500, 1600 and 1800 Appliance Series R80.20.30 Locally Managed Administration Guide p.89:

Configuring a Hotspot
In the Device > Hotspot page, if a network interface was defined for hotspot, you can configure:

- Guest access - A session is created for an IP address when a user accepts terms or authenticates in the Hotspot portal. The session expires after the configured timeout (240 minutes by default).

- Hotspot portal - Customize the portal's appearance.
- Hotspot exceptions - Define specified IP addresses, IP ranges or networks to exclude from the Hotspot.
If no network interface was defined for the Hotspot, click Configure in Local Network.

In the Access section of the page, you can configure if authentication is required and allow access to all users or to a specified user group (Active Directory, RADIUS or local).

Hotspot is automatically activated in the system.

Re: 1570r Hotspot integration with Radius auth

Tim_Tielens — Tue, 14 Sep 2021 10:49:27 GMT

I'm sorry but i've read that and that is not this issue that i'm having.
Creating or enabling hotspot on the network or wifi is not the issue.

The question is:
1. how should the NPS look like on the Radius server ?
2. How does the hotspot initialize radius auth ?
- From the mgmt interface of the 1570r or the wifi client ip.
(because i'm not seeing any requests, but get auth failed)
Radius auth on the Wifi works and on the webui also, i've tested that.

Maybe some other question would be, is it even supported...
I'm reading Check Point R80.20.X for 1500, 1600, and 1800 Appliances Features and Known Limitations and there is nothing in it about it not working.

Re: 1570r Hotspot integration with Radius auth

G_W_Albrecht — Tue, 14 Sep 2021 11:02:23 GMT

You can involve TAC here.