Configuring RADIUS Accounting

Configure RADIUS Accounting in the RADIUS Accounting Settings window. In the Check Point Gateway window > Identity Awareness page, click RADIUS Accounting > Settings.

Included Topics RADIUS Client Access Permissions Authorized RADIUS Clients Message Attribute Indices Session Timeout and LDAP Servers

RADIUS Client Access Permissions

Gateway interfaces must be authorized to accept connections from RADIUS Accounting clients.

To select gateway interfaces:

1. In the RADIUS Client Access Permissions section, click Edit.
2. Select Security Gateway interfaces that can accept connections from RADIUS Accounting clients:
   1. All Interfaces - All Security Gateway interfaces can accept connections from RADIUS Accounting clients (default)
   2. Internal Interfaces - Only explicitly defined internal Security Gateway interfaces can accept connections from RADIUS Accounting clients
      • Including undefined internal interfaces - Also accepts connections from internal interfaces without a defined IP address
      • Including DMZ internal interfaces - Also accepts connections from clients located in the DMZ
   3. Firewall Policy - Interface connections are allowed according to the Firewall policy.
3. Enter or select the RADIUS server port (default = 1813).

   Important - The All Interfaces and Internal Interface options have priority over Firewall Policy rules. If a Firewall rule is configured to block connections from RADIUS Accounting clients, connections continue to be allowed when one of these options are selected.

Authorized RADIUS Clients

An Identity Awareness Gateway accepts RADIUS Accounting requests only from authorized RADIUS Accounting clients. A RADIUS Accounting client is a host with a RADIUS client software installed.

To configure an authorized RADIUS client:

1. In the Authorized RADIUS Clients section of the RADIUS Accounting window, click the + icon and select a RADIUS Accounting Client from the list.

   Click New to define a new host object for the RADIUS Accounting client. This host object is selected automatically.

   Click the - icon to remove an existing RADIUS client from the list.

2. Click Generate to create a strong, shared secret for client authentication. This shared secret applies to all host objects in this list.

   You can manually enter a shared secret. It is not necessary to generate a new shared secret when you add or remove clients from the list.

Message Attribute Indices

RADIUS Accounting Messages contain identity, authentication and administrative information for a connection. This information is contained in predefined attributes of the RADIUS Accounting Message packet.

The Message Attributes Indices section tells Identity Awareness which attributes in RADIUS Accounting Messages contain identity information used by Identity Awareness:

• Device name - RADIUS device-name attribute
• User name - RADIUS user-name attribute.
• IP Address - RADIUS IP address attribute.

Select a message attribute for each of these values. The default attributes are correct for many Identity Awareness deployments.

Note - Vendor-Specific (26) is a user-defined attribute. There can be more than one Vendor-Specific attribute in a RADIUS Accounting message, each with a different value. A sub-index value is assigned to each Vendor-Specific attribute in a message. This lets Identity Awareness find and use the applicable value.

To configure message attributes:

1. Select a message attribute from the list for each index field.
2. If you use the Vendor-Specific (26) attribute, select the applicable sub-index value.

Session Timeout and LDAP Servers

You can define the user session timeout. This parameter is the maximum time that a user session stays open without receiving an Accounting Start or Interim-Update message from the RADIUS Accounting client. To define the session timeout, enter or select a value in minutes (default = 720).

You can select which LDAP account units the Security Gateway searches for user or device information when it gets a RADIUS Accounting request. LDAP account units are configured in SmartDashboard.

To define the authorized LDAP account units:

1. Click the Settings button, located below the LDAP Account Units heading.
2. In the LDAP Account Units window, select one of these options:
   • Any - Searches all defined LDAP account units for user or device information.
   • Specific - Searches only the specified LDAP account units for user or device information.
     • Click + to add an authorized LDAP account unit.
     • Click - to remove an authorized LDAP account unit.
3. If you selected the Specific option, click the + icon and then select one or more LDAP account units.

Configuring Remote Access

Identities are acquired for Mobile Access clients and IPSec VPN clients configured to work in Office Mode when they connect to the Security Gateway. This option is enabled by default.

To configure Remote Access:

Select Remote Access to enable it, or clear this option to disable it.

Important - If there is more than one Security Gateway enabled with Identity Awareness that share identities with each other and have Office Mode configured, each gateway must be configured with different office mode ranges.