Yes, radius is also defined there. Although I tried with and without it. No change...

Hi @PhoneBoy I had JHF 76. Installed 99, and compared the recommendations in the sk. Apparently I already have them as required. 

Maybe I'm not getting the architecture properly. What I want to see is something like this:

1. VPN client sends request to GW
2. GW sends the creds to radius server
3. Radius server sends the creds it receives to AD for verification
4. Radius server sends the results of the verification back to GW
5. GW tells the client that it can connect. 

Here I don't have anything setup on freeRADIUS other than ldap-module so that it can authenticate against AD. All user information is on AD.

Maybe I lack some understanding on any of these steps.

Never heard of someone using FreeRADIUS for the use case of Active Directory.
Microsoft's NPS is known to work for this use case.

Hi PhoneBoy,

I tried using NPS, edicts and attribute 26 and Vendor specific setting, and the problem in windows nps is that it gives two errors: either 16 or 21. If I disable NTLM completely and enable only auditing, it still gives these errors. I tried different versions in 2019 and 2022.. There's no difference at all.

Hey Andy, sorry for the late response. I've been trying to find time to pull my hair out trying to understand why it doesn't work and studying the heck out of documentations 🙂 It looks like FreeRADIUS is successfully authenticating, fw monitor sees the traffic on ports 1812 and 389. This is a safe lab for now so I can share all the info here without worries.

FreeRADIUS - 192.168.1.44

AD - 192.168.5.23

And GW's relevant interfaces are .254 on relevant subnets. In the FreeRADIUS logs i see "Can't contact LDAP server. Got new socket, retrying..." but then it looks like it connects, and since the authentication succeeds, I assume the servers can communicate.

As for the settings on the SmartConsole, in the VPN Authentication I only have RADIUS set up (also tried together with username/password, still failed).

- RADIUS settings are:

Service: NEW-RADIUS
Version: RADIUS Ver. 2.0 (I found out that FreeRADIUS is RADIUS Ver. 2.0)
Protocol: PAP

- External User Profile in SmartDashboard:

generic with Authentication Scheme RADIUS

- In Global Properties, radius_ignore is 0 (as recommended in sk182516 as Dameon suggested)
and
SOFTWARE/CheckPoint/VPN1 : { CurrentVersion=[s]6.0 users_hash_capacity=[n]1024 MEPfor3rdParty=[n]1 require_message_authenticator=[n]1 }

If I can understand where to look, then I'll dive right in. I just can't seem to do that.

Well, first off, dont pull any hair out, its not healthy for you lol

Second, let make sure I get all this, kind of hard to read it properly on an airplane, haha.

I remember while back I got this working for a client by changing radius version and protocol...have you tried that?

Andy

Locally defined users always take precedence over ones defined on the authentication server.
You could also set the locally defined user to use RADIUS instead of Internal Password (or whatever method it was before).