This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kyle_S
Explorer
‎2018-05-27 08:23 AM
Jump to solution

RADIUS Auth for Centrally Managed SMB Appliance not working.

RADIUS Auth for Centrally Managed SMB Appliance not working.

Scenario:

R80.10 JHF 103 Management Server

R77.20.75 SMB Appliance w/ Remote Access VPN and IPSec VPN Tunnels.

Problem:

Remote Access clients connect to GW1; RADIUS servers reside behind GW2 accessible via a Site to Site tunnel.

Partial Solution:

RADIUS/SecurID packets are being picked up by an implied rule instead of being encrypted 

Updated the proper implied_rules.def file to not have RADIUS traffic picked up by an implied rule.

However, RADIUS traffic still is sourced from the External interface which isn't (And can't) be a member of the Encryption Domain for the Site to Site tunnel.

The following appears to be what I need to set, however, as the gateway is Centrally managed it's not an option:

How to force originating VPN connections from local gateway to use an internal interface IP instead ... 

Is something available in GuiDBEdit, Global Properties, or elsewhere that will allow me to set "VPN Site to Site global settings - Use internal IP address for encrypt" to force traffic from the internal interface of the Gateway?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-03-22 11:57 AM
In response to Beja
Jump to solution

If the SMB gateway is locally managed, you can apply the steps described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

If your SMB appliance is centrally managed, it is not currently supported, and you will need to file an RFE: https://www.checkpoint.com/rfe/rfe.htm

View solution in original post

13 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-05-28 04:07 AM
Jump to solution

Please consult sk116459 Traffic to RADIUS server from SMB appliance on Site to Site VPN, coming with source IP of W... - you will find the solution for your firmware version with local nanagement in sk119415 How to force originating VPN connections from local gateway to use an internal interface IP... - with central management, please either use the workaround config from sk116459 or follow sk25675 Customizing VPN Domain to exclude IP Address and allow clear text !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Kyle_S
Explorer
‎2018-05-28 06:06 AM
In response to G_W_Albrecht
Jump to solution

I'm not sure how any of this is helpful.

SK116459 Pertains to Site to Site tunnels managed locally on the SMB Appliance.  The VPN tab is not an option when the Gateway is manged centrally.

SK119415 Also pertains to a locally managed gateway, not a centrally managed gateway.

sk25675 Pertains to established traffic of the tunnel; and has nothing to do with re configuring the gateway to send RADIUS / LDAP / traffic from an internal interface instead of the External WAN interface.

None of your suggestions pertain to my issue.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-05-28 07:01 AM
In response to Kyle_S
Jump to solution

SK116459 pertains to Site to Site tunnels managed locally on the SMB Appliance but contains a workaround for SMBs with older firmware (it is the good old No-NAT rule 😉 - and this workaround can be configured in Dashboard, too. And sk25675 gives the solution from sk119415 for centrally managed devices. So i do not see why you think that none of my suggestions pertain to youry issue.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Kyle_S
Explorer
‎2018-05-28 07:30 AM
In response to G_W_Albrecht
Jump to solution

As there still seems to be confusion with the question I asked, and the SK's you have since provided not pertaining to the question that I asked, I opened a TAC case and received the following:

"We actually have a statement from our RnD regarding this that we don't have such a solution for centrally managed gateways. Currently, there is no plan for this solution for centrally managed gateways"

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-05-28 08:01 AM
In response to Kyle_S
Jump to solution

If the No-NAT rule does not work i would involve TAC.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Kyle_S
Explorer
‎2018-05-29 08:38 AM
In response to G_W_Albrecht
Jump to solution

No-NAT has nothing to do with the gateway sourcing RADIUS / LDAP traffic from the External interface when Centrally manged.  As I stated previously, a TAC case was opened, and RnD stated it was not supported nor was there any plans to support it in future releases.

0 Kudos
Beja
Contributor
‎2019-03-22 10:16 AM
In response to Kyle_S
Jump to solution

Hi there.

what about this issue?

have we in the same stage? Surce IP is not able to force to internal interface?

Rergards.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-22 11:57 AM
In response to Beja
Jump to solution

If the SMB gateway is locally managed, you can apply the steps described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

If your SMB appliance is centrally managed, it is not currently supported, and you will need to file an RFE: https://www.checkpoint.com/rfe/rfe.htm
Beja
Contributor
‎2019-03-22 12:03 PM
In response to PhoneBoy
Jump to solution

Done.
Feedback reference number: 20bNpMJ15
0 Kudos
AttilaPeter
Explorer
‎2020-08-13 02:21 AM
In response to Kyle_S
Jump to solution

Hello Kyle_S

Does it resolved? If yes how?

In the sk119415 I seen a central management option which could be added later on and it seems only partly working.

Regards,

Attila

 

0 Kudos
Schafi
Contributor
Contributor
‎2020-08-13 07:41 AM
In response to AttilaPeter
Jump to solution

Hi Attila,

I solved this kind of issue by adding a Hide-NAT Rule with the dynamic objects called "LocalMachine" as source and "LocalMachine_Internal_Interface" as translated source.

Best Regards
Jean-François

 

Regards
Jean-François (Schafi)
0 Kudos
tspunkt
Contributor
‎2021-10-26 03:04 AM
In response to Schafi
Jump to solution

hey everybody,

i know its an old thread, but I run in the same problem with a RADIUS behind a site-to-site VPN community. I also tried the command written in SK119415 and i also tried the Hide-NAT rule without any effect on changing from external to interal IP address on a centrally managed 1590 smb (r80.20.35).

RADIUS traffic is accepted by an implied rule.

Are there any other fixes i can try without modifying the .def files?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-10-26 07:55 AM
In response to tspunkt
Jump to solution

Since the issue is with the implied rules, the only real way to address it is to edit the .def files.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events