Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Admin
Admin

White Paper - Using RADIUS Authentication for Remote Access VPN

Author

@Samuel_Shiflett 

Abstract:

This guide will show step by step instructions for configuring Remote Access VPN to utilize RADIUS authentication. There is also an appendix that includes instructions for integrating DUO MFA with a Check Point Remote Access Gateway.

 

 

For the full list of White Papers, go here

 

1 Reply
Highlighted

I followed this document to the "T" and in R80.30 the generic* user is not being honored by the gateway.  Has anyone seen this issue? Is it a known issue?  

 

In prior versions when a user tried to log in, given that the add_radius_groups was set to "true", the user group associated to generic* would be sent to the radius server as part of the login request. Now I am simply getting a "user doesn't belong to remote access community error" and when i hard code the "Authentication" on the gateway to user Radius the user is not able to log in either because the attributes are not being sent along.  The same behavior i seen in lab I'm seeing at customer site.

 

LAB SO DOESN"T MATTER IP ADDRESSES ARE NOT SANITIZED:

 

19:27:51.323746 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 155) 192.168.50.1.49472 > 192.168.50.55.1812: RADIUS, length: 127
Access Request (1), id: 0x18, Authenticator: 34025483c7e43062d12e3846302ff6c9
Username Attribute (1), length: 13, Value: jconcepcion
0x0000: 6a63 6f6e 6365 7063 696f 6e
Vendor Specific Attribute (26), length: 24, Value: Vendor: Microsoft (311) [|radius]
0x0000: 0000 0137 0b12 7cc3 4ddb 54df 1535 4a37
0x0010: b076 a4 [|radius]
19:27:51.503001 IP (tos 0x0, ttl 128, id 24824, offset 0, flags [DF], proto: UDP (17), length: 70) 192.168.50.55.1812 > 192.168.50.1.49472: [udp sum ok] RADIUS, length: 42
Access Reject (3), id: 0x18, Authenticator: 3afb744dbb91ca21d1c38dff25e5af66
Vendor Specific Attribute (26), length: 22, Value: Vendor: Microsoft (311)
Vendor Attribute: 2, Length: 14, Value: .E=649 R=0 V=3
0x0000: 0000 0137 0210 0045 3d36 3439 2052 3d30
0x0010: 2056 3d33
19:31:15.985985 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 91) 192.168.50.1.35094 > 192.168.50.55.1812: RADIUS, length: 63
Access Request (1), id: 0x19, Authenticator: 76309a24680ac47f73e0cfb13c9450fd
Username Attribute (1), length: 13, Value: jconcepcion
0x0000: 6a63 6f6e 6365 7063 696f 6e
Password Attribute (2), length: 18, Value:
0x0000: 8a11 5436 8b6f 29c1 c75c 13cb c26f 63d4
Service Type Attribute (6), length: 6, Value: [|radius]
0x0000: 00 [|radius]
19:31:15.989658 IP (tos 0x0, ttl 128, id 6831, offset 0, flags [DF], proto: UDP (17), length: 48) 192.168.50.55.1812 > 192.168.50.1.35094: [udp sum ok] RADIUS, length: 20
Access Reject (3), id: 0x19, Authenticator: 1c66bf4f6ab54a90323b40cd0a474f9d

0 Kudos
Reply