This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SAROU237
Explorer
‎2020-12-13 10:09 AM

Radius accounting identity awarenesss

Hello,

I have a question about radius accounting :

Is it correct ? I understand that Radius accouting client  is the gateway which send a request to the radius accounting server to get identities?

But in the documentation they said that " Identity Awareness Gateway configured as a RADIUS Accounting server." why ?

 
0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-12-13 10:20 AM

Can you quote the precise areas of documentation you’re seeing these two different explanations?

Generally, the request is initiated from the RADIUS server (not us) to the RADIUS Accounting Server (a properly-configured Check Point gateway).
This is how RADIUS Accounting works.

0 Kudos
SAROU237
Explorer
‎2020-12-13 12:54 PM
In response to PhoneBoy

Why does the request is initiated from the radius server ?

 

Because this is the gateway which need the information of a user, so he should make the request to the server. I don't understand

0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-13 01:18 PM
In response to SAROU237

Because that’s just not how RADIUS Accounting works.
By the way, our integration with Active Directory  (either AD Query or Identity Collector) fundamentally the same way: we “subscribe” to an identity source to find out about what users are associated with what IP addresses.
The gateway will perform an LDAP query to determine what groups the user is a member of to calculate the appropriate Access Roles for that user.
This way, at the time the user tries to do something through the gateway, we’ll know precisely what policy applies.

There isn’t a standards-based mechanism for either RADIUS or Active Directory that I’m aware of that allows anyone to query “what user is associated with this IP.”
Not to mention; you’d have to hold the connection while the lookup is performed, creating a performance issue for end users.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2020-12-13 01:34 PM
In response to SAROU237

If our Captive Portal is being used for web based authentication then Radius might be configured as the authentication server.

 

This is different to Radius accounting where the user has already been authenticated maybe by connecting to a separate Wi-Fi solution and the radius messages are being sent on to Check Point as a means of  letting us know who is already logged in with what IP address.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events