This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Numan135363
Explorer
‎2025-10-09 12:23 PM
Jump to solution

Radius User - Group Assign Issue

Hey everyone,

We’re facing an issue with RADIUS group mapping on a Check Point Remote Access VPN (R81.20).
Users can authenticate successfully through RADIUS, connect via VPN, and receive an Office Mode IP —
but they’re not being assigned to any group, which causes our access policy rules (based on user groups) not to match.

Here’s what we’ve done and verified so far:

Environment

  • Check Point R81.20 Gateway

  • Remote Access VPN (Endpoint Security Client)

  • RADIUS authentication via third-party MFA platform

  • Authentication protocol: PAP

  • Attributes tested: 11 (Filter-ID), 25 (Class), 26 (Vendor-Specific)

Configuration Steps

RADIUS Server Configuration

  • Added the RADIUS server under Servers and OPSEC Applications → New RADIUS Server

  • Set protocol = PAP, version = 2.0

  • Defined shared secret matching the MFA server

VPN Gateway Configuration

  • RADIUS selected as the authentication method under VPN Clients → Authentication

  • “Allow newer clients that support multiple login options” and “Ask user for password (auto-answer first challenge)” options are checked

 External User Profile

  • Created a  External User Profile with “Match all users”  (profile name generic*)

  • Authentication scheme: RADIUS

  • Linked to the same RADIUS server object

Group Mapping Setup

  • Created a user group named RAD_Test (empty group as required)

  • Verified that the group name matches the attribute value sent by RADIUS

GuiDBedit Settings

Under Global Properties → Radius, confirmed the following:

  • add_radius_groups = true

  • radius_groups_attr = 11

Also tested with attributes 25 and 26, no change.
Policy reinstalled after every modification.

Observed Behavior

  • Authentication succeeds, user connects normally.

  • Office Mode IP assigned correctly.

  • In the logs, user appears authenticated but no group membership is listed.

  • Access Control rules based on RADIUS group membership never match.

We’ve captured RADIUS packets and verified that the MFA server does send back the attribute (Filter-ID/Class/VSA) with the expected value.
Still, Check Point does not map the user to any RAD_ group.

Question

Has anyone successfully made RADIUS group assignment work for Remote Access VPN users on R81.20?
Is there any hidden setting, known limitation, or workaround ?

Any insights, working examples, or references would be greatly appreciated 

0 Kudos
1 Solution

Accepted Solutions
Duane_Toler
MVP Silver
MVP Silver
‎2025-10-10 01:20 PM
Jump to solution

You may also need to have Identity Awareness enabled and for "Remote Access":

image.png

image.png

You can run VPN debug (and IKE debug) to see what response is coming back (which you already see in the packet capture), but also how the VPN daemon is processing it.  If there's a processing error, you should see it there.

Look for the text "CPSC_RADIUS_AUTHENTICATED", and just above that will be the user group mapping messages.  You can also search the debug for "RAD_" and any occurrences of your group name.  The RADIUS group messages will also be identified with the text "radius_update_user_groups".

TAC would still like to know what's going on in case something is still not right.  Always worth a call.

When you do get the mappings fixed, you'll want to use Access Role objects to control policy access through the rulebase, and not use the user group in the Source column (Legacy User Access).  You will add the locally-defined user groups (RAD_foo) into the Access Role.  With Access Roles, you also don't need to use the RemoteAccess community in the VPN column.  Access Roles will allow you to map the same user with any identity source (Remote Access, Identity Collector, whatever) and wherever the user is connected; highly flexible.  You can use them anywhere you want/need in your policy.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

View solution in original post

(1)
7 Replies
PhoneBoy
Admin
Admin
‎2025-10-09 02:36 PM
Jump to solution

You might need to change the RADIUS attribute we're looking at for the RADIUS groups.
See: https://support.checkpoint.com/results/sk/sk115875 

the_rock
MVP Platinum
MVP Platinum
‎2025-10-09 06:30 PM
Jump to solution

Apart from sk Phoneboy gave, try running pdp minitor user command as well.

Andy

Best,
Andy
0 Kudos
Numan135363
Explorer
‎2025-10-10 04:26 AM
In response to the_rock
Jump to solution

Hi ,

We tried class and VSA but still doesn't work .  

 

Screenshot 2025-10-10 at 11.56.41.png

Screenshot 2025-10-10 at 11.46.45.png

 This is what radius reply. 

Screenshot 2025-10-10 at 11.33.56.png

Screenshot 2025-10-10 at 11.33.33.png

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2025-10-10 12:37 PM
In response to Numan135363
Jump to solution

I would get TAC involved here.

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-10-10 01:20 PM
Jump to solution

You may also need to have Identity Awareness enabled and for "Remote Access":

image.png

image.png

You can run VPN debug (and IKE debug) to see what response is coming back (which you already see in the packet capture), but also how the VPN daemon is processing it.  If there's a processing error, you should see it there.

Look for the text "CPSC_RADIUS_AUTHENTICATED", and just above that will be the user group mapping messages.  You can also search the debug for "RAD_" and any occurrences of your group name.  The RADIUS group messages will also be identified with the text "radius_update_user_groups".

TAC would still like to know what's going on in case something is still not right.  Always worth a call.

When you do get the mappings fixed, you'll want to use Access Role objects to control policy access through the rulebase, and not use the user group in the Source column (Legacy User Access).  You will add the locally-defined user groups (RAD_foo) into the Access Role.  With Access Roles, you also don't need to use the RemoteAccess community in the VPN column.  Access Roles will allow you to map the same user with any identity source (Remote Access, Identity Collector, whatever) and wherever the user is connected; highly flexible.  You can use them anywhere you want/need in your policy.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
(1)
Numan135363
Explorer
‎2025-10-11 09:01 AM
In response to Duane_Toler
Jump to solution

Thank you Duane

 

It solved. 

the_rock
MVP Platinum
MVP Platinum
‎2025-10-11 10:01 AM
In response to Numan135363
Jump to solution

Great!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events