cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Kyle_S
Ivory

RADIUS Auth for Centrally Managed SMB Appliance not working.

Jump to solution

RADIUS Auth for Centrally Managed SMB Appliance not working.

Scenario:

R80.10 JHF 103 Management Server

R77.20.75 SMB Appliance w/ Remote Access VPN and IPSec VPN Tunnels.

Problem:

Remote Access clients connect to GW1; RADIUS servers reside behind GW2 accessible via a Site to Site tunnel.

Partial Solution:

RADIUS/SecurID packets are being picked up by an implied rule instead of being encrypted 

Updated the proper implied_rules.def file to not have RADIUS traffic picked up by an implied rule.

However, RADIUS traffic still is sourced from the External interface which isn't (And can't) be a member of the Encryption Domain for the Site to Site tunnel.

The following appears to be what I need to set, however, as the gateway is Centrally managed it's not an option:

How to force originating VPN connections from local gateway to use an internal interface IP instead ... 

Is something available in GuiDBEdit, Global Properties, or elsewhere that will allow me to set "VPN Site to Site global settings - Use internal IP address for encrypt" to force traffic from the internal interface of the Gateway?

0 Kudos
1 Solution

Accepted Solutions
Admin
Admin

Re: RADIUS Auth for Centrally Managed SMB Appliance not working.

Jump to solution
If the SMB gateway is locally managed, you can apply the steps described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

If your SMB appliance is centrally managed, it is not currently supported, and you will need to file an RFE: https://www.checkpoint.com/rfe/rfe.htm
9 Replies

Re: RADIUS Auth for Centrally Managed SMB Appliance not working.

Jump to solution

Please consult sk116459 Traffic to RADIUS server from SMB appliance on Site to Site VPN, coming with source IP of W... - you will find the solution for your firmware version with local nanagement in sk119415 How to force originating VPN connections from local gateway to use an internal interface IP... - with central management, please either use the workaround config from sk116459 or follow sk25675 Customizing VPN Domain to exclude IP Address and allow clear text !

0 Kudos
Kyle_S
Ivory

Re: RADIUS Auth for Centrally Managed SMB Appliance not working.

Jump to solution

I'm not sure how any of this is helpful.

SK116459 Pertains to Site to Site tunnels managed locally on the SMB Appliance.  The VPN tab is not an option when the Gateway is manged centrally.

SK119415 Also pertains to a locally managed gateway, not a centrally managed gateway.

sk25675 Pertains to established traffic of the tunnel; and has nothing to do with re configuring the gateway to send RADIUS / LDAP / traffic from an internal interface instead of the External WAN interface.

None of your suggestions pertain to my issue.

0 Kudos

Re: RADIUS Auth for Centrally Managed SMB Appliance not working.

Jump to solution

SK116459 pertains to Site to Site tunnels managed locally on the SMB Appliance but contains a workaround for SMBs with older firmware (it is the good old No-NAT rule 😉 - and this workaround can be configured in Dashboard, too. And sk25675 gives the solution from sk119415 for centrally managed devices. So i do not see why you think that none of my suggestions pertain to youry issue.

0 Kudos
Kyle_S
Ivory

Re: RADIUS Auth for Centrally Managed SMB Appliance not working.

Jump to solution

As there still seems to be confusion with the question I asked, and the SK's you have since provided not pertaining to the question that I asked, I opened a TAC case and received the following:

"We actually have a statement from our RnD regarding this that we don't have such a solution for centrally managed gateways. Currently, there is no plan for this solution for centrally managed gateways"

0 Kudos

Re: RADIUS Auth for Centrally Managed SMB Appliance not working.

Jump to solution

If the No-NAT rule does not work i would involve TAC.

0 Kudos
Kyle_S
Ivory

Re: RADIUS Auth for Centrally Managed SMB Appliance not working.

Jump to solution

No-NAT has nothing to do with the gateway sourcing RADIUS / LDAP traffic from the External interface when Centrally manged.  As I stated previously, a TAC case was opened, and RnD stated it was not supported nor was there any plans to support it in future releases.

0 Kudos

Re: RADIUS Auth for Centrally Managed SMB Appliance not working.

Jump to solution

Hi there.

what about this issue?

have we in the same stage? Surce IP is not able to force to internal interface?

Rergards.

0 Kudos
Admin
Admin

Re: RADIUS Auth for Centrally Managed SMB Appliance not working.

Jump to solution
If the SMB gateway is locally managed, you can apply the steps described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

If your SMB appliance is centrally managed, it is not currently supported, and you will need to file an RFE: https://www.checkpoint.com/rfe/rfe.htm

Re: RADIUS Auth for Centrally Managed SMB Appliance not working.

Jump to solution
Done.
Feedback reference number: 20bNpMJ15
0 Kudos