This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mp2012
Contributor
‎2023-10-23 10:20 PM

Avoid AD Query?

Hi,

 

I'm currently using the Identity Collector to get AD data. Now I got a use case involving Radius as a source for Identity Awareness. May I avoid activating AD Query for group membership lookups for these users? (I dont need group memberships at all, just user names from radius in checkpoint logs). Any advise?

 

kind regards,

mp2012

0 Kudos
7 Replies
ProxyOps
Contributor
‎2023-10-24 01:41 AM

Hi,

you don't need to activate AD querry to use radius accounting. The PDP Gateway will do the LDAP querries torwards your AD for the users and group memberships. 

Best regards


0 Kudos
mp2012
Contributor
‎2023-10-24 03:16 AM
In response to ProxyOps

Well, in Identity Awareness log I get "failed login" fpr this radius entries. Description says "Group membership of the required account (user or machine) could not be retrieved from the AD. Make sure the account exists in the AD."

So it seems there is no query done to identity Collector.

 

kind regards

 

0 Kudos
ProxyOps
Contributor
‎2023-10-24 04:02 AM
In response to mp2012

Hi,

this error message indicates, that the PDP Gateway is not able to find the user via ldap in your AD. Your Identity Collector is not doing the LDAP search. This is always done by the PDP Gateway with configured LDAP Server Object.

This can have many diffrent issues. Please check the following SK:

"Group membership of the required account (user or machine) could not be retrieved from the AD" log ...


Best regards

0 Kudos
mp2012
Contributor
‎2023-10-24 05:13 AM
In response to ProxyOps

Hi,

I guess scenario 6 fits. At least it shows me this username format in IA log "source user name"column.  Checking with "pdp monitor all"  at the gateway,I dont see this usernames. Anyway this should be fixed since R80.20 (I'm on 81.10). I still got a configured LDAP account unit for the AD configured.

 

0 Kudos
ProxyOps
Contributor
‎2023-10-24 05:24 AM
In response to mp2012

Hi,

in which format are your users authenticating in your RADIUS Identity Source? I think the format is depending on the device/vendor from where the radius account event is sent.

You have to be sure, that the RADIUS Accounting settings on the receiving PDP Gateways are matching:

For example:

See attached Screenshot.


Please also make sure to verify if the source is sending sAM or UPN format. See the following sk:

Users are not authenticated when an identity source provides the login name in 'User Principal Name'...

RADIUS authentication fails for LDAP users as gateway uses sAMAccountName and not UPN when UPN neede...

Using "User logon name (Pre-Windows 2000)" different then "User logon name" with Identity MUH agent ...

This also could be the issue here. 

Best regards

Preview file
10 KB
0 Kudos
Lesley
Advisor
‎2023-10-24 04:09 AM

I have AD query disabled under the firewall object in Smart Console and only use ID collectors.

But I still have a LDAP account unit. Please check if you have that for the relevant AD servers. 

I think the firewalls still reach out towards the DC's to make sure the collectors information is valid. 

It is to remove load for gateways towards collectors. 

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
mp2012
Contributor
‎2023-10-24 05:14 AM
In response to Lesley

Hi,

yes, I still got a proper LDAP AD account unit configured.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events