This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AlainC
Contributor
Friday
Jump to solution

VPN clients still using LDAP while RADIUS is configured

Hello,

 

I configured RADIUS between my CheckPoint Firewall and my Microsoft NPS. This is working fine, for example I can logon to Smartconsole with a user via RADIUS authentication. I checked the logs on the NPS, the account I use on the smartconsole login gets authenticated correctly via RADIUS.

In smartconsole, in gateway cluster properties, in VPN clients and in remote access, in authentication (single authentication client settings) I selected RADIUS (and the RADIUS server that is configured).

Just to be sure, in smartdashboard is added RADIUS in multiple authentication.

Also, in gateways in smartdashboard, it says: This gateway allows single authentication clients to connect using: RADIUS

But... when I connect my VPN user (88.62 vpn-client), it still uses LDAP. Something is forcing LDAP over the RADIUS properties I selected.

I've been looking for some time now but I don't seem to find why. I did not perform the setup of this firewall and I'm certainly no expert. Can somebody give me a (not too complex) hint?

 

Thanks

 

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
AlainC
Contributor
11 hours ago
In response to PhoneBoy
Jump to solution

I've found the error I made!

I used the management server IP in NPS. I've put the correct IP (gateway). Now it works fine!

Sorry for the trouble!

 

View solution in original post

(1)
14 Replies
PhoneBoy
Admin
Admin
Friday
Jump to solution

LDAP isn't used for authentication, it is used for authorization.
More specifically, it is used to retrieve groups for a given user.
This applies to both Remote Access and Identity Awareness.

0 Kudos
the_rock
Legend
Legend
Friday
Jump to solution

What Phoneboy said is 100% right...ldap is not used for authentication.

Andy

0 Kudos
the_rock
Legend
Legend
Saturday
Jump to solution

Can you please send a screenshot of how that window is configured? I mean option for adding multiple auth methods...just blur out any sensitive data.

Andy

0 Kudos
AlainC
Contributor
Monday
In response to the_rock
Jump to solution

vpn.jpg

 

I've also found a VPN_user template that can be set to radius (but is set to checkpoint password). I have no idea where/how this template is used or where it is configured to be used. Told you before, just an amateur on this subject. 

@PhoneBoy thanks for the reply, but I don't have a clue what action I can perform based on that information

 

0 Kudos
the_rock
Legend
Legend
Monday
In response to AlainC
Jump to solution

I dont believe user template should matter much here, but auth order seems right to me. Do you have TAC case open for it?

Andy

0 Kudos
AlainC
Contributor
Tuesday
In response to the_rock
Jump to solution

no case opened yet, I thought it would be a basic setting somewhere. I followed the procedure "Using RADIUS Authentication for Remote Access VPN" and had a little help from chatgpt. No luck 😞

0 Kudos
AlainC
Contributor
yesterday
In response to the_rock
Jump to solution

FYI

I've opened a case -> reaction = since this is a new configuration, we don't give any support, we focus on resolving issues with existing configurations !!!! Really??!! 

 

 

 

 

 

0 Kudos
PhoneBoy
Admin
Admin
Monday
In response to AlainC
Jump to solution

Why are LDAP lookups done? Quite simple: you have LDAP Account Units defined.
With the exception of Azure/Entra ID users where the relevant groups are passed as part of the SAML Assertion (see https://support.checkpoint.com/results/sk/sk177267) or Internal Password users, an LDAP lookup is required to associate a given user to groups for the purposes of defining Access Roles for specific groups of users.
In other words, LDAP lookups are expected behavior in Remote Access configurations.

The only way to disable the LDAP lookups is to remove the LDAP Account Unit objects.
However, they are likely used for other purposes (i.e. Identity Awareness).

0 Kudos
AlainC
Contributor
Tuesday
In response to PhoneBoy
Jump to solution

Hello,

 

I'm not sure we're talking about the same thing...

It must be some simple detail somewhere...

 

Simplified Situation:

AD user xyz logs on to smartconsole. AD user xyz 's request to logon is directed to NPS and is seen in NPS (eventviewer).

The same AD user xyz logs on via Checkpoint VPN client. AD user xyz's logon request is not directed to NPS (nothing shows up in eventviewer).

 

 

 

0 Kudos
PhoneBoy
Admin
Admin
Tuesday
In response to AlainC
Jump to solution

It wasn't clear that the RADIUS part wasn't working.
You may need to delete/re-add the site on the VPN client if you change the authentication methods.

0 Kudos
AlainC
Contributor
yesterday
In response to PhoneBoy
Jump to solution

I've deleted and re-added the site on a client but this doesn't help. I can see the request arriving directly into AD and not passing via Network Policy Server.

 

 

 

 

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to AlainC
Jump to solution

Are you using locally defined users?
If not, do you have an External User Profile defined in SmartDashboard?
If not, this is how you create it (and yes, I do mean legacy SmartDashboard):

image.png

Create this with the defaults:

image.png

Note if this profile exists in your environment, change the Authentication to Undefined.
Click the Save icon (upper left) in SmartDashboard, Publish and Install Policy in SmartConsole to relevant gateways.

0 Kudos
AlainC
Contributor
11 hours ago
In response to PhoneBoy
Jump to solution

I've found the error I made!

I used the management server IP in NPS. I've put the correct IP (gateway). Now it works fine!

Sorry for the trouble!

 

(1)
the_rock
Legend
Legend
10 hours ago
In response to AlainC
Jump to solution

Good job!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events