This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DVI
Explorer
‎2021-07-14 04:13 AM

Using RADIUS Groups (RAD_<Group>) to Assign Permissions

Hi,

(The whole post is attached as pdf for readability purpose)

Any idea on what goes wrong?

  • Run on R80.40 VSX,
  • Client is Endpoint Security VE84.70 Build 986200225 (MACOS)
  • Radius authentication to NPS Windows Server 2012R2

    Radius.jpg

  • Configuration according to attached Checkpoint documentation (Radius authentication – Compatibility Mode)
  • 2 accesss roles , matching 2 Policy Groups defined on the Radius/NPS server
    1 access role, matching “any user"

    denvin_1-1626255488760.png

     

  • vpnd.elg shows 3 radisu update for user groups attr. 26. None of them are known by the db
     

    3217 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_by_reply: calling handler for attr 26.
    3218 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): start. do_radgroups=1
    3219 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): Looking for group RAD_ S=83DEE04C8210C8AEBEB06357B72B078848BE87DC in db
    3220 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): group RAD_ S=83DEE04C8210C8AEBEB06357B72B078848BE87DC not found in db
    3221 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups: didn't add group [RAD_ S=83DEE04C8210C8AEBEB06357B72B078848BE87DC]
    3222 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): Looking for group RAD_€yUŽŠôpF,6Þä{?*_EXhùót)06`"8Æ@¾ in db
    3223 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): group RAD_€yUŽŠôpF,6Þä{?*_EXhùót)06`"8Æ@¾ not found in db
    3224 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups: didn't add group [RAD_€yUŽŠôpF,6Þä{?*_EXhùót)06`"8Æ@¾]
    3225 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): Looking for group RAD_€zÈ«+®N…–â…ËÆ莙j°iÕé3Óz†#m$Ôå¡® in db
    3226 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): group RAD_€zÈ«+®N…–â…ËÆ莙j°iÕé3Óz†#m$Ôå¡® not found in db
    3227 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups: didn't add group [RAD_€zÈ«+®N…–â…ËÆ莙j°iÕé3Óz†#m$Ôå¡®]
    3228 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_callback(au=947d980): daemon: other, login info: valid, server object: valid, src_ip: 0

 

  • Log shows:

    Source User Group: All Users
    Roles :                        AccessRole_AllUsers


    Log shows.jpg

     

     

 

 

 

 

 

 

  • Only rule 17 is matched

     

Only rule 17.jpg

 

 

I will be happy to read your suggestions and/or comments

 

Best Regards

Preview file
459 KB
Preview file
450 KB
0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2021-07-16 12:37 PM

Groups in Access Roles come from LDAP, not RADIUS.
Do you have LDAP configured at all?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events