Solved: VPN clients still using LDAP while RADIUS is confi...

AlainC · ‎2025-03-28

Hello,

I configured RADIUS between my CheckPoint Firewall and my Microsoft NPS. This is working fine, for example I can logon to Smartconsole with a user via RADIUS authentication. I checked the logs on the NPS, the account I use on the smartconsole login gets authenticated correctly via RADIUS.

In smartconsole, in gateway cluster properties, in VPN clients and in remote access, in authentication (single authentication client settings) I selected RADIUS (and the RADIUS server that is configured).

Just to be sure, in smartdashboard is added RADIUS in multiple authentication.

Also, in gateways in smartdashboard, it says: This gateway allows single authentication clients to connect using: RADIUS

But... when I connect my VPN user (88.62 vpn-client), it still uses LDAP. Something is forcing LDAP over the RADIUS properties I selected.

I've been looking for some time now but I don't seem to find why. I did not perform the setup of this firewall and I'm certainly no expert. Can somebody give me a (not too complex) hint?

Thanks

AlainC · ‎2025-04-03

I've found the error I made!

I used the management server IP in NPS. I've put the correct IP (gateway). Now it works fine!

Sorry for the trouble!

View solution in original post

PhoneBoy · ‎2025-03-28

LDAP isn't used for authentication, it is used for authorization.
More specifically, it is used to retrieve groups for a given user.
This applies to both Remote Access and Identity Awareness.

the_rock · ‎2025-03-28

What Phoneboy said is 100% right...ldap is not used for authentication.

Andy

the_rock · ‎2025-03-29

Can you please send a screenshot of how that window is configured? I mean option for adding multiple auth methods...just blur out any sensitive data.

Andy

AlainC · ‎2025-03-31

I've also found a VPN_user template that can be set to radius (but is set to checkpoint password). I have no idea where/how this template is used or where it is configured to be used. Told you before, just an amateur on this subject.

@PhoneBoy thanks for the reply, but I don't have a clue what action I can perform based on that information

the_rock · ‎2025-03-31

I dont believe user template should matter much here, but auth order seems right to me. Do you have TAC case open for it?

Andy

AlainC · ‎2025-04-01

no case opened yet, I thought it would be a basic setting somewhere. I followed the procedure "Using RADIUS Authentication for Remote Access VPN" and had a little help from chatgpt. No luck 😞

AlainC · ‎2025-04-02

FYI

I've opened a case -> reaction = since this is a new configuration, we don't give any support, we focus on resolving issues with existing configurations !!!! Really??!!

PhoneBoy · ‎2025-03-31

Why are LDAP lookups done? Quite simple: you have LDAP Account Units defined.
With the exception of Azure/Entra ID users where the relevant groups are passed as part of the SAML Assertion (see https://support.checkpoint.com/results/sk/sk177267) or Internal Password users, an LDAP lookup is required to associate a given user to groups for the purposes of defining Access Roles for specific groups of users.
In other words, LDAP lookups are expected behavior in Remote Access configurations.

The only way to disable the LDAP lookups is to remove the LDAP Account Unit objects.
However, they are likely used for other purposes (i.e. Identity Awareness).

AlainC · ‎2025-04-01

Hello,

I'm not sure we're talking about the same thing...

It must be some simple detail somewhere...

Simplified Situation:

AD user xyz logs on to smartconsole. AD user xyz 's request to logon is directed to NPS and is seen in NPS (eventviewer).

The same AD user xyz logs on via Checkpoint VPN client. AD user xyz's logon request is not directed to NPS (nothing shows up in eventviewer).

PhoneBoy · ‎2025-04-01

It wasn't clear that the RADIUS part wasn't working.
You may need to delete/re-add the site on the VPN client if you change the authentication methods.

AlainC · ‎2025-04-02

I've deleted and re-added the site on a client but this doesn't help. I can see the request arriving directly into AD and not passing via Network Policy Server.

PhoneBoy · ‎2025-04-02

Are you using locally defined users?
If not, do you have an External User Profile defined in SmartDashboard?
If not, this is how you create it (and yes, I do mean legacy SmartDashboard):

Create this with the defaults:

Note if this profile exists in your environment, change the Authentication to Undefined.
Click the Save icon (upper left) in SmartDashboard, Publish and Install Policy in SmartConsole to relevant gateways.

AlainC · ‎2025-04-03

I've found the error I made!

I used the management server IP in NPS. I've put the correct IP (gateway). Now it works fine!

Sorry for the trouble!

the_rock · ‎2025-04-03

Good job!

Are you a member of CheckMates?

VPN clients still using LDAP while RADIUS is configured