Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DVI
Explorer

Using RADIUS Groups (RAD_<Group>) to Assign Permissions

Hi,

(The whole post is attached as pdf for readability purpose)

Any idea on what goes wrong?

  • Run on R80.40 VSX,
  • Client is Endpoint Security VE84.70 Build 986200225 (MACOS)
  • Radius authentication to NPS Windows Server 2012R2

    Radius.jpg

  • Configuration according to attached Checkpoint documentation (Radius authentication – Compatibility Mode)
  • 2 accesss roles , matching 2 Policy Groups defined on the Radius/NPS server
    1 access role, matching “any user"

    denvin_1-1626255488760.png

     

  • vpnd.elg shows 3 radisu update for user groups attr. 26. None of them are known by the db
     

    3217 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_by_reply: calling handler for attr 26.
    3218 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): start. do_radgroups=1
    3219 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): Looking for group RAD_ S=83DEE04C8210C8AEBEB06357B72B078848BE87DC in db
    3220 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): group RAD_ S=83DEE04C8210C8AEBEB06357B72B078848BE87DC not found in db
    3221 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups: didn't add group [RAD_ S=83DEE04C8210C8AEBEB06357B72B078848BE87DC]
    3222 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): Looking for group RAD_€yUŽŠôpF,6Þä{?*_EXhùót)06`"8Æ@¾ in db
    3223 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): group RAD_€yUŽŠôpF,6Þä{?*_EXhùót)06`"8Æ@¾ not found in db
    3224 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups: didn't add group [RAD_€yUŽŠôpF,6Þä{?*_EXhùót)06`"8Æ@¾]
    3225 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): Looking for group RAD_€zÈ«+®N…–â…ËÆ莙j°iÕé3Óz†#m$Ôå¡® in db
    3226 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups(au=947d980): group RAD_€zÈ«+®N…–â…ËÆ莙j°iÕé3Óz†#m$Ôå¡® not found in db
    3227 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_update_user_groups: didn't add group [RAD_€zÈ«+®N…–â…ËÆ莙j°iÕé3Óz†#m$Ôå¡®]
    3228 [vpnd 3330 4081784768]@FW11ALBE001[14 Jul 12:40:54][AU] radius_callback(au=947d980): daemon: other, login info: valid, server object: valid, src_ip: 0

 

  • Log shows:

    Source User Group: All Users
    Roles :                        AccessRole_AllUsers


    Log shows.jpg

     

     

 

 

 

 

 

 

  • Only rule 17 is matched

     

Only rule 17.jpg

 

 

I will be happy to read your suggestions and/or comments

 

Best Regards

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

Groups in Access Roles come from LDAP, not RADIUS.
Do you have LDAP configured at all?

0 Kudos