R81.20 Browser-Based Authentication with RADIUS – ...

abutayyab

Hey all,

I have a Check Point R81.20 (JHF 119) Security Gateway deployed on an Open Server for a customer. The customer is looking to implement Browser-Based Authentication (Captive Portal) for known users, with FreeRADIUS as the backend authentication source. The FreeRADIUS server is running on Ubuntu 24.04, and users are defined locally with Cleartext-Password entries.

I have followed the R81.20 Identity Awareness Admin Guide to configure Browser-Based Authentication using RADIUS. However, when a user attempts to authenticate via the Captive Portal, I consistently see “Bad username or password” events in SmartView Logs.

The key observation is that no RADIUS Access-Request packets are sent from the gateway:

- tcpdump on the gateway (any interface, port 1812) shows no outbound RADIUS traffic
- No packet drops are observed on the gateway
- This suggests the authentication failure is occurring locally on the gateway before RADIUS is invoked

Below are the relevant configuration snippets from the Check Point gateway (Browser-Based Authentication settings, RADIUS server object, and Access Control rule).

Authentication SettingsPortal SettingsFreeradius object

I would appreciate any help in this regard:

- Any known R81.20 caveats or prerequisites specific to Browser-Based Authentication with RADIUS?
- Is there a built-in CLI tool to test RADIUS authentication from the gateway, similar to test_ad_connectivity.sh for AD?

Thanks in advance for your help.

Regards,
Abdul Tayyeb R.

the_rock

Under accessibility settings, is it set to all interfaces or only internal?

Best,
Andy

the_rock

@abutayyab I was referring to below.

Best,
Andy

abutayyab

It's set to "Through internal interfaces". The captive portal is accessible. Had there been some issue with accessibility settings, the captive portal itself wouldn't have shown up in that case.

the_rock

True, makes sense. So you dont see anything on port 1812 outbound at all?

Best,
Andy

Lesley

You need to configure where the fw has to look for the users. No options are selected user directories

User Directories - Select one or more places where the Security Gateway searches to find users when they try to authenticate.
- Internal users - The directory of internal users.
- LDAP users - The directory of LDAP users. Either:
  - Any - Users from all LDAP servers.
  - Specific - Users from an LDAP server that you select.
- External user profiles - The directory of users who have external user profiles.

-------
Please press "Accept as Solution" if my post solved it 🙂

the_rock

Totally valid point...I missed that from the screenshots, but its 100% required.

Best,
Andy

abutayyab

I have already selected "External user profiles". Do I need to select something else here? While troubleshooting the issue, I had selected all 3 directory options hoping to resolve the issue, but then I ended up getting a different error as mentioned below:

"An error was detected while trying to authenticate against the AD server. It may be a problem of bad configuration or connectivity. Please refer to the troubleshooting guide for more help"

the_rock

That could be AD server issue...any relevant logs there?

Best,
Andy

Lesley

Does your LDAP account unit work correctly? Able to fetch finger print? Do you see identities in the firewall logs? Able to search LDAP groups and use them in the rulebase from SmartConsole? I would use LDAP users instead of External

-------
Please press "Accept as Solution" if my post solved it 🙂

abutayyab

There is NO LDAP server in the network. There's only one RADIUS server that has users/contractors defined. And I want these users to be authenticated before they're given Internet access. Is something wrong with my setup?

Vincent_Bacher

Yes. LDAP users are enabled but no LDAP directory exists. With Browser-Based Authentication the gateway must first resolve the user in a selected directory before RADIUS is used. Since LDAP lookup fails, authentication stops locally and never reaches RADIUS. Disable LDAP users and use Internal Users or External User Profiles that authenticate via RADIUS.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

the_rock

Makes perfect sense!

Best,
Andy

Are you a member of CheckMates?

R81.20 Browser-Based Authentication with RADIUS – “Bad username or password”