This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Zdenek_Rottenbe
Explorer
‎2018-04-16 12:39 PM

Identity Awareness - RADIUS Accounting mode

I performed testing of Identity Awareness in my lab (RADIUS Accounting mode only) and found some problems I am not able to explain. I would really appreciate any comments to the following:

- userAccountControl LDAP attribute is ignored by IA. If a user is locked out, it is allowed to access a network. Is this correct behaviour or I misconfigured something?

- the same thing happen when I tried to authorize user based on fw1user (objectClass) LDAP attributes.

- direct mapping of user/machine to group directly on CP firewall by issuing command 'pdp radius groups set -u 26 -a 1 -c 9 -d ","' does not work correctly in case several Vendor-Specific RADIUS AV pairs are included within RADIUS accounting-request. How can I correctly used the command to assign group membership if the following attributes comes to CP firewall within one accounting-request?

Cisco-AVPair = "ssid=ssid01"
Cisco-AVPair = "vlan-id=30"
Cisco-AVPair = "nas-location=unspecified"

I want to assign group membership based on the first AV pair.

Thank you very much for any comments.

In case somebody is interested, I included all my findings from the lab in attached document.

Best regards,

ZR

Preview file
1830 KB
3 Replies
PhoneBoy
Admin
Admin
‎2018-04-20 10:03 PM

Is the userAccountControl sent as part of the RADIUS Accounting request?

If it's not, then based on the fact you're attempting to fetch groups from the RADIUS accounting requests, it probably won't even see it.

0 Kudos
Zdenek_Rottenbe
Explorer
‎2018-04-24 08:40 AM
In response to PhoneBoy

Hi,

no, userAccountControl is LDAP attribute use to signalize a status of a user account (for example account is lockout, see more detail here: http://jackstromberg.com/2013/01/useraccountcontrol-attributeflag-values/). I would expect that when CP firewall receives RADIUS account-request with information about a username, it connects to LDAP database and check whether the user exists within LDAP database. This is usually done by initiating ldap search request towards a LDAP database. If user is found, the firewall also receives additional user attributes like userAccountControl or memberOf attributes, that can be used to further authorize a user. In case a user has lockout flag set, a CP firewall should not allow a user to access a network. That is my understanding. From my lab I know that userAccountControl attribute is ignored by CP firewall (or maybe I have misconfigured something). The same thing happens also when I tried to use Check Point ldap attributes like fw1day (see CP_R80.10_SecurityManagement_AdminGuide.pdf page 195). This attribute should control when a user can access a network. This attribute seems to be also ignored by CP firewall. So, the question is whether this should work or not.

Thank you very much for any help that you are able to provide.

ZR

0 Kudos
PhoneBoy
Admin
Admin
‎2018-04-24 10:51 AM
In response to Zdenek_Rottenbe

The RADIUS piece is used for authentication.

Authorization is, of course, a different matter.

As near as I can tell, we do not read the userAccountControl attribute.

However, we can create it when using UserDirectory (with a default setting).

I suppose it's possible to create a group where the userAccountControl attribute is set a particular way and create a rule denying access to that group.
However, not sure this is possible.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events