The configuration steps described below are based on Windows Server 2008R2 and were tested in Check Point's lab.
This article describes a basic configuration of RADIUS authentication with Check Point's Gaia OS (using vendor specific attributes 229 and 230).
This article does not replace Microsoft's official documentation. Refer to Microsoft's official documentation for information about any relevant topic (e.g., Connection Request Policies).
In the Server Manager, install the RADIUS server role.
In the left pane, click on Roles - in the Role Summary section, click on Add Roles (on the far right).
In the Select Server Roles window, select Network Policy and Access Services - click on Next.
In the Select Role Services window, select only Network Policy Server - click on Next.
Click on Install - confirm that the installation was successful.
Create a RADIUS policy
Go to the Start menu -> Administrative Tools -> Network Policy Server.
In the left pane, open Policies - right-click on Network Policies - select New from the menu.
Enter a name for the new login policy - in the Type of network access server, select Unspecified - click on Next.
Click on Add... to add the conditions necessary for this network policy to run.
In this example, we specify that this policy is run for users in a specific Windows group (it can also be done for the User Groups / Machine Groups / etc.), so select Windows Group and click on Add.
Click on Add Groups - enter the name of the user group to which you want to grant login access.
In this example, we give access to Domain Admins. Click on Check Names to verify - click on OK twice.
In the Radius_Auth Properties window, on the Constraints tab, click on Authentication methods - select what authentication type will be used to authenticate - click on OK. For example, select Unencrypted authentication. (Refer to sk121223 for more on supported authentication methods.)
Configure the RADIUS attributes.
In the Radius_Auth Properties window, on the Settings tab - click on Vendor Specific - in the Attributes section, click on Add...
In the Add Vendor Specific Attribute window - in Vendor, select Custom - in the Attributes section, click on Vendor-Specific - click on Add...
In the Attribute information window, click on Add...
In the Vendor-Specific Attribute Information window:
Check the Enter Vendor Code - select the value 2620 (Check Point)
Check the box Yes. It conforms
Click on Configure Attribute...
In the Configure VSA (RFC Compliant) window configure the following:
Vendor-assigned attribute number = 229
Attribute format = String
Attribute value = adminRole
Click on OK until you get back to the Attribute information window
In the Attribute information window, click on Add...
In the Vendor-Specific Attribute Information window:
Check the Enter Vendor Code - select the value 2620 (Check Point)
Check the box Yes. It conforms
Click on Configure Attribute...
In the Configure VSA (RFC Compliant) window configure the following:
Vendor-assigned attribute number = 230
Attribute format = Decimal
Attribute value = 1
Click on OK until you get back to Attribute information window
The final Attribute information window should be:
Configure the RADIUS client (Check Point machine running Gaia OS)
In the Server Manager, go to Roles -> Network policy and access services -> NPS -> RADIUS Clients and Servers -> RADIUS Clients
Right-click on New clients - click on Add
Add the following values:
Enable this RADIUS client: make sure to check this box
Friendly name: enter the desired name for the RADIUS client
Address (IP or DNS): either the IPv4 address, or FQDN of the RADIUS client (Gaia OS IP)
Configuration on Security Gateway in Gateway mode (non-VSX):
Connect to Gaia Portal.
Go to the User Management section - click on the Authentication Servers page.
In the RADIUS Servers section, click on Add.
In the Add new RADIUS Server window, configure the following:
Priority: the priority of the RADIUS server, in case there are more than one
Host: wither IPv4 address, or FQDN of the RADIUS server
UDP Port: leave the default 1812
Shared Secret: enter the same shared secret that was configured on the RADIUS server
Click on OK.
In the Network Access Server (NAS) field, select the interface from which the RADIUS Server will be reachable (Gaia OS will accept RADIUS authentication on any interface, or only on a specific interface).
Example:
In the RADIUS Users Default Shell field, leave the default /etc/cli.sh
In the Super User UID field, select the value "0" (zero).
Example:
Click on Apply.
Configuration on Security Gateway in VSX mode:
Gaia Portal is disabled on VSX Gateways. Therefore, the following commands should be issued in Gaia Clish:
HostName> add aaa radius-servers priority 1 host <RADIUS_HostName_or_IP_Address> port 1812 secret <RADIUS_key> timeout 3
HostName> set aaa radius-servers NAS-IP <IP_Address>
HostName> set aaa radius-servers default-shell /etc/cli.sh
HostName> set aaa radius-servers super-user-uid 0
HostName> save config
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?
