RADIUS

Before you start to configure SSOClosed Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. Authentication with RADIUSClosed Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP as transport., make sure to log in with the same user or email that you used when you created the account. This allows you to create a fallback user that can always log in to the current account regardless of RADIUS servers availability.

The user that created the account is called Primary Contact. Infinity Portal does not authenticate this user through RADIUS SSO. This is to prevent the situation when the account becomes locked to all users because of RADIUS server's failure. In this case, the Primary Contact can always authenticate and log in with the password stored in the Infinity Portal database as a local user.

Note - if it is necessary to configure your firewall to allow Check Point Infinity Portal backend IP addresses, see the Identity & Access - Identity Providers.

  1. In the Infinity Portal go to > Identity & Access > click the plus icon.

  2. Enter a name for the Integration Title and select RADIUS.

  3. Click Next.

In this step, you can configure SSO authentication for Infinity Portal administrators and for end users of Check Point services.

  1. Select Enable Administrators to log in to the portal using this IdP.

  2. Select this option:

    One organizational account - Infinity PortalAdministrators can log into this Infinity Portal account with SSO from the Identity ProviderClosed A system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. Acronym: IdP or IDP.. Administrators log in through the Infinity Portal login page.

  3. Do one of these actions:

    • Continue to the Service(s) Integration section.

    • Click Next / Apply to complete the Integration Type configuration.

  1. In the Service(s) Integration section, select one of these options:

    • No Services - There is no SSO authentication from the Identity Provider for end users of Check Point services. This is the default configuration.

    • All Services - End users can log in with SSO from the Identity Provider for all Check Point services that support SSO.

    • Specific Service(s) - A list of services opens. Select service(s) for which you want end users to log in with SSO from the Identity Provider. Available services:

      • Harmony Connect

      • QuantumGateways

  2. Click Next / Apply to complete the Integration Type configuration.

Verify the ownership of your domain to make sure successful identification for all the users that belong to your organization:

Note - If you select One of more organizational accounts, this step is not necessary.

  1. The DNS record generates. Click to copy the generated DNS record value

  2. Enter the copied DNS record to your DNS server as a TXT record.

  3. Below Domain(s), enter your organization's public DNS domain server name and click the plus icon.

    Check Point makes a DNS query to verify your domain's configuration.

  4. When all domains show on the list, click Next, click Next.

    Note - Wait until the DNS record is propagated and can be resolved.

  1. On the Configure Servers page, enter the details of your RADIUS server(s):

    • Primary Host IP - enter the server IP address.

    • Primary Host Secret - enter the server secret.

    • Port - The default RADIUS ports are 1812 and 1813. To use a different port for RADIUS, contact Check Point Support.

    • Add Another Host - optionally, add a secondary RADIUS server to provide a backup when the primary server is unreachable. These two servers use the same port. Enter the secondary server IP address and secret.

    • Connectivity Test - optionally, check the RADIUS server connectivity:

      • Enter the user name.

      • Enter the user password.

      • Click Test connectivity.

      A message of the successful connection to the RADIUS server appears.

  2. Click Next.

Review the details of the SSO configuration and click Submit.

Important - Create a user group with the applicable roles and assign it to the related IdP group name or ID. This depends on the applicable identity provider before you log out. For more information, see User Groups.