cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Blason_R
Copper

SmartConsole AD Authentication

Hello folks,

I have integrated Active directory with Checkpoint R80.10. So can I use the active directory user log in for smart console. I do not have radius server. Please let me know Is it possible and how?

0 Kudos
3 Replies

Re: Smart console AD authentication

You could use Microsoft NPS (Network Policy Server = Radius Server) on either DC or separate Server.


0 Kudos

Re: Smart console AD authentication

Hi Blason R, I actually had implemented the option told by Norbert Bohusch in my environment:

a Windows Server with the NPS role installed on a separate server of the domain controller (I believe putting the NPS in a DC is a big NO-NO).

Also as Norbert says the NPS role is essentially a Radius server, so you have to follow the instructions for "Configuring a RADIUS Server for Administrators" from the Admin Guide:

- Create a Radius Server object with a shared secret on the SmartConsole

- In the NPS server create a Radius Client with the Management/SmartCenter IP address and obviously the same shared secret from above

- Create a Connection Policy with at least a condition (for example the NAS IPv4 address as the IP address of mgmt) with EAP-MSCHAP as authentication method

- Create a Network Policy with also at least the same condition above (but I also configure a condition for the users must be members of an specific AD group)

- Create an administrator on the SmartConsole with a username format like <AD domain>\<AD user> and Radius as authentication method

Then you can login using the <AD domain>\<AD user> as user name and your AD password as password.

Hope it helped

Re: Smart console AD authentication

Still not possible the way you want to do it.

See the documentation R80.10 Management Admin Guide, Section: Configuring Authentication Methods for Administrators

Same goes for R80.20 Management Admin Guide, Section: Configuring Authentication Methods for Administrators

I did hear that request/question from every customer who was thinking about moving away from local OS accounts. And it is the first question that comes to mind, always.

I do struggle to understand this approach, however. I reckon that there is a very good reason behind this, though. I'm sure. 100%. No doubt.

Could someone knowing(!) the reasons please elabotrate about this?

Maybe it is about, who has control over the authorizing system and it's security measures and options (2FA, etc.)

0 Kudos