Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SAROU237
Explorer

Radius accounting identity awarenesss

Hello,

I have a question about radius accounting :

Is it correct ? I understand that Radius accouting client  is the gateway which send a request to the radius accounting server to get identities?

But in the documentation they said that " Identity Awareness Gateway configured as a RADIUS Accounting server." why ?

 
0 Kudos
Reply
4 Replies
PhoneBoy
Admin
Admin

Can you quote the precise areas of documentation you’re seeing these two different explanations?

Generally, the request is initiated from the RADIUS server (not us) to the RADIUS Accounting Server (a properly-configured Check Point gateway).
This is how RADIUS Accounting works.

0 Kudos
Reply
SAROU237
Explorer

Why does the request is initiated from the radius server ?

 

Because this is the gateway which need the information of a user, so he should make the request to the server. I don't understand

0 Kudos
Reply
PhoneBoy
Admin
Admin

Because that’s just not how RADIUS Accounting works.
By the way, our integration with Active Directory  (either AD Query or Identity Collector) fundamentally the same way: we “subscribe” to an identity source to find out about what users are associated with what IP addresses.
The gateway will perform an LDAP query to determine what groups the user is a member of to calculate the appropriate Access Roles for that user.
This way, at the time the user tries to do something through the gateway, we’ll know precisely what policy applies.

There isn’t a standards-based mechanism for either RADIUS or Active Directory that I’m aware of that allows anyone to query “what user is associated with this IP.”
Not to mention; you’d have to hold the connection while the lookup is performed, creating a performance issue for end users.

0 Kudos
Reply
Chris_Atkinson
Employee
Employee

If our Captive Portal is being used for web based authentication then Radius might be configured as the authentication server.

 

This is different to Radius accounting where the user has already been authenticated maybe by connecting to a separate Wi-Fi solution and the radius messages are being sent on to Check Point as a means of  letting us know who is already logged in with what IP address.

0 Kudos
Reply