- CheckMates
- :
- Products
- :
- Harmony
- :
- Endpoint
- :
- Re: VPN clients still using LDAP while RADIUS is c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN clients still using LDAP while RADIUS is configured
Hello,
I configured RADIUS between my CheckPoint Firewall and my Microsoft NPS. This is working fine, for example I can logon to Smartconsole with a user via RADIUS authentication. I checked the logs on the NPS, the account I use on the smartconsole login gets authenticated correctly via RADIUS.
In smartconsole, in gateway cluster properties, in VPN clients and in remote access, in authentication (single authentication client settings) I selected RADIUS (and the RADIUS server that is configured).
Just to be sure, in smartdashboard is added RADIUS in multiple authentication.
Also, in gateways in smartdashboard, it says: This gateway allows single authentication clients to connect using: RADIUS
But... when I connect my VPN user (88.62 vpn-client), it still uses LDAP. Something is forcing LDAP over the RADIUS properties I selected.
I've been looking for some time now but I don't seem to find why. I did not perform the setup of this firewall and I'm certainly no expert. Can somebody give me a (not too complex) hint?
Thanks
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've found the error I made!
I used the management server IP in NPS. I've put the correct IP (gateway). Now it works fine!
Sorry for the trouble!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LDAP isn't used for authentication, it is used for authorization.
More specifically, it is used to retrieve groups for a given user.
This applies to both Remote Access and Identity Awareness.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What Phoneboy said is 100% right...ldap is not used for authentication.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please send a screenshot of how that window is configured? I mean option for adding multiple auth methods...just blur out any sensitive data.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've also found a VPN_user template that can be set to radius (but is set to checkpoint password). I have no idea where/how this template is used or where it is configured to be used. Told you before, just an amateur on this subject.
@PhoneBoy thanks for the reply, but I don't have a clue what action I can perform based on that information
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont believe user template should matter much here, but auth order seems right to me. Do you have TAC case open for it?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no case opened yet, I thought it would be a basic setting somewhere. I followed the procedure "Using RADIUS Authentication for Remote Access VPN" and had a little help from chatgpt. No luck 😞
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI
I've opened a case -> reaction = since this is a new configuration, we don't give any support, we focus on resolving issues with existing configurations !!!! Really??!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are LDAP lookups done? Quite simple: you have LDAP Account Units defined.
With the exception of Azure/Entra ID users where the relevant groups are passed as part of the SAML Assertion (see https://support.checkpoint.com/results/sk/sk177267) or Internal Password users, an LDAP lookup is required to associate a given user to groups for the purposes of defining Access Roles for specific groups of users.
In other words, LDAP lookups are expected behavior in Remote Access configurations.
The only way to disable the LDAP lookups is to remove the LDAP Account Unit objects.
However, they are likely used for other purposes (i.e. Identity Awareness).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm not sure we're talking about the same thing...
It must be some simple detail somewhere...
Simplified Situation:
AD user xyz logs on to smartconsole. AD user xyz 's request to logon is directed to NPS and is seen in NPS (eventviewer).
The same AD user xyz logs on via Checkpoint VPN client. AD user xyz's logon request is not directed to NPS (nothing shows up in eventviewer).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It wasn't clear that the RADIUS part wasn't working.
You may need to delete/re-add the site on the VPN client if you change the authentication methods.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've deleted and re-added the site on a client but this doesn't help. I can see the request arriving directly into AD and not passing via Network Policy Server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using locally defined users?
If not, do you have an External User Profile defined in SmartDashboard?
If not, this is how you create it (and yes, I do mean legacy SmartDashboard):
Create this with the defaults:
Note if this profile exists in your environment, change the Authentication to Undefined.
Click the Save icon (upper left) in SmartDashboard, Publish and Install Policy in SmartConsole to relevant gateways.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've found the error I made!
I used the management server IP in NPS. I've put the correct IP (gateway). Now it works fine!
Sorry for the trouble!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good job!
