Identity Awareness not authentic user through iden...

FrankXie · ‎2022-07-14

Hello Expert

I am trying to setup identity awareness in my environment. But somehow I found my secureGateway never send radius authentication to my configured authentication server.

I always get this error

An error was detected while trying to authenticate against the AD server.
It may be a problem of bad configuration or connectivity.
Please refer to the troubleshooting guide for more help

Turning on pdp debug I can only find [15 Jul 13:40:34] [RADIUS (TD::Events)] pdp::PDPRadiusManager::~PDPRadiusManager: enter d'tor about radius.

TCPDUMP can't capture any packet with filter "port 1812".

Any idea?

Thanks

Frank

Chris_Atkinson · ‎2022-07-15

Can you describe the flow in more detail?

Typically Identity Awareness integration based on Radius would be looking at Radius Accounting 1813.

CCSM R77/R80/ELITE

FrankXie · ‎2022-07-15

Thanks Chris

The first flow is download identity agent through portal after authenticate through ldap server which works fine and I also think it is not relevant.

Second flow is getting identity information through connecting identity agent. It is using user name and password authentication through radius server. Actually I am quite understand how this works because I don’t know there’s any group information in radius response. Anyway I got that error message and with pdp debug I can see it querying ad server but not sending authentication. Would it because my test account not in any ad server? And does it mean pdp query ad server to get identity information before sending radius authentication?

Cheers

Frank

Chris_Atkinson · ‎2022-07-15

The relationship between the User Directories & Authentication is referenced in the admin guide, the user has to exist somewhere in a repository before it is authenticated.

Refer: Authentication Settings > User Directories

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

CCSM R77/R80/ELITE

FrankXie · ‎2022-07-17

Thanks Chris

This make sense.

Just one problem, I am not able to specific user directory in IA authentication setting, no +/-. BTW, my firewall and smartconsole are version 81.10

Chris_Atkinson · ‎2022-07-17

If you have the user directories such as an LDAP Account Unit already defined it should allow you to select it, if you need specific configuration for this gateway/cluster versus global. With that said their does appear to be a glitch in the UI when comparing the screens below as the +/- buttons aren't shown. Please report this to TAC if it's critical for your setup and I will also follow-up internally.

Identity Agent

Browser Based

CCSM R77/R80/ELITE

Chris_Atkinson · ‎2022-07-18

Check the Windows magnification level is not different than 100% [Display > Scale and layout] and it should work around the UI glitch in the interim.

CCSM R77/R80/ELITE

FrankXie · ‎2022-07-19

Thanks Chris

Sorry for the late reply.

I am talking about identity agent authentication.

Change display scale not help. 😞

Chris_Atkinson · ‎2022-07-19

Did you relaunch the application after changing the scale setting? (It corrected the issue in my testing).

If the issue persists and or the "All Gateways Directories" option isn't suitable in your case please contact TAC.

CCSM R77/R80/ELITE

FrankXie · ‎2022-07-20

you absolutely right, relaunch application after changing display scale +/- shows. Thanks a lot, you really a expert.

Are you a member of CheckMates?

Identity Awareness not authentic user through identity agent with Radius