RADIUS

Before you start to configure SSO Authentication with RADIUS, make sure to log in with the same user or email that you used when you created the account. This allows you to create a fallback user that can always log in to the current account regardless of RADIUS servers availability.

The user that created the account is called Primary Contact. Check Point Portal does not authenticate this user through RADIUS SSO. This is to prevent the situation when the account becomes locked to all users because of RADIUS server's failure. In this case, the Primary Contact can always authenticate and log in with the password stored in the Check Point Portal database as a local user.

Note - If it is necessary to configure your firewall to allow Check Point Portal backend IP addresses, see the Restrict Account Access.

Prerequisite:

  • Permissions to your company's DNS server.

  1. In the Check Point Portal go to > Identity & Access and click the plus icon.

  2. Enter a name for the Integration Title and select RADIUS.

  3. Click Next.

In this step, you can configure SSO authentication for Check Point Portal administrators and for end users of Check Point services.

  1. Select Enable Administrators to log in to the portal using this IdP.

  2. Select this option:

    • Login based on domain verification - Check Point Portal Administrators can log in to this Check Point Portal account with SSO from the Identity Provider. Administrators log in through the Check Point Portal login page.

  3. Do one of these actions:

    • Continue to the Service(s) Integration section.

    • Click Next / Apply to complete the Integration Type configuration.

  1. In the Service(s) Integration section, select one of these options:

    • No Services - There is no SSO authentication from the Identity Provider for end users of Check Point services. This is the default configuration.

    • All Services - End users can log in with SSO from the Identity Provider for all Check Point services that support SSO.

    • Specific Service(s) - A list of services opens. Select service(s) for which you want end users to log in with SSO from the Identity Provider.

      Available services:

      • Connect

      • Quantum Gateways

  2. Click Next / Apply to complete the Integration Type configuration.

Note - If you selected Login with a unique URL for Integration Type, the Verify Domain step is not necessary.

  1. Connect to your DNS server.

  2. Copy the DNS Value from the Check Point Portal IdP Integration wizard > Verify Domain step.

  3. On your DNS server, enter the Value as a TXT record.

  4. In the Check Point Portal > Domain(s) section, enter a public DNS domain server name and click the plus icon.

    Check Point makes a DNS query to verify your domain's configuration.

  5. Optional - add more DNS domain servers.

  6. Click Next.

    Note - Wait until the DNS record propagates and becomes resolvable.

  1. On the Configure Servers page, enter the details of your RADIUS server(s):

    • Primary Host IP - enter the server IP address.

    • Primary Host Secret - enter the server secret.

    • Port - The default RADIUS ports are 1812 and 1813. To use a different port for RADIUS, contact Check Point Support.

    • Add Another Host - optionally, add a secondary RADIUS server to provide a backup when the primary server is unreachable. These two servers use the same port. Enter the secondary server IP address and secret.

    • Connectivity Test - optionally, check the RADIUS server connectivity:

      • Enter the username.

      • Enter the user password.

      • Click Test connectivity.

      A message of the successful connection to the RADIUS server appears.

  2. Click Next.

Review the details of the SSO configuration and click Submit.

Important - Create a user group with the applicable roles and assign it to the related IdP group name or ID. This depends on the applicable identity provider before you log out. For more information, see User Groups.