Print Download PDF Send Feedback

Previous

Next

Configuring RADIUS Accounting

Configure RADIUS Accounting in the RADIUS Accounting Settings window. In the Check Point Gateway window > Identity Awareness page, click RADIUS Accounting > Settings.

Enabling RADIUS Accounting on a Security Gateway

You must enable RADIUS Accounting on Security Gateways before they can work as a RADIUS Accounting server.

To enable RADIUS Accounting for a Security Gateway:

  1. In the SmartConsole Gateways & Servers view, open the Security Gateway.
  2. On the General Properties page, make sure that Identity Awareness is enabled.
  3. On the Identity Awareness page, select RADIUS Accounting.

RADIUS Client Access Permissions

Gateway interfaces must be authorized to accept connections from RADIUS Accounting clients.

To select gateway interfaces:

  1. In the RADIUS Client Access Permissions section, click Edit.
  2. Select Security Gateway interfaces that can accept connections from RADIUS Accounting clients:
    1. All Interfaces - All Security Gateway interfaces can accept connections from RADIUS Accounting clients (default)
    2. Internal Interfaces - Only explicitly defined internal Security Gateway interfaces can accept connections from RADIUS Accounting clients
      • Including undefined internal interfaces - Also accepts connections from internal interfaces without a defined IP address
      • Including DMZ internal interfaces - Also accepts connections from clients located in the DMZ
    3. Firewall Policy - Interface connections are allowed according to the Firewall policy.
  3. Enter or select the RADIUS server port (default = 1813).

Important - The All Interfaces and Internal Interface options have priority over Firewall Policy rules. If a Firewall rule is configured to block connections from RADIUS Accounting clients, connections continue to be allowed when one of these options are selected.

Authorized RADIUS Clients

An Identity Awareness Gateway accepts RADIUS Accounting requests only from authorized RADIUS Accounting clients. A RADIUS Accounting client is a host with a RADIUS client software installed.

To configure an authorized RADIUS client:

  1. In the Authorized RADIUS Clients section of the RADIUS Accounting window, click the + icon and select a RADIUS Accounting Client from the list.

    Click New to define a new host object for the RADIUS Accounting client. This host object is selected automatically.

    Click the - icon to remove an existing RADIUS client from the list.

  2. Click Generate to create a strong, shared secret for client authentication. This shared secret applies to all host objects in this list.

    You can manually enter a shared secret. It is not necessary to generate a new shared secret when you add or remove clients from the list.

RADIUS Message Attribute Indices

RADIUS Accounting Messages contain identity, authentication and administrative information for a connection. This information is contained in predefined attributes of the RADIUS Accounting Message packet.

The Message Attributes Indices section tells Identity Awareness, which attributes in RADIUS Accounting Messages contain identity information used by Identity Awareness:

Select a message attribute for each of these values. The default attributes are correct for many Identity Awareness deployments.

Note - Vendor-Specific (26) is a user-defined attribute. There can be more than one Vendor-Specific attribute in a RADIUS Accounting message, each with a different value.

A sub-index value is assigned to each Vendor-Specific attribute in a message. This lets Identity Awareness find and use the applicable value.

To configure message attributes:

  1. Select a message attribute from the list for each index field.
  2. If you use the Vendor-Specific (26) attribute, select the applicable sub-index value.

Session Timeout and LDAP Servers

You can define the user session timeout. This parameter is the maximum time that a user session stays open without receiving an Accounting Start or Interim-Update message from the RADIUS Accounting client. To define the session timeout, enter or select a value in minutes (default = 720).

You can select, which LDAP Account Units the Security Gateway searches for user or device information, when it gets a RADIUS Accounting request. LDAP Account Units are configured in SmartConsole.

To define the authorized LDAP Account Units:

  1. Click the Settings button, located below the LDAP Account Units heading.
  2. In the LDAP Account Units window, select one of these options:
    • Any - Searches all defined LDAP Account Units for user or device information.
    • Specific - Searches only the specified LDAP Account Units for user or device information.
      • Click + to add an authorized LDAP Account Unit.
      • Click - to remove an authorized LDAP Account Unit.
  3. If you selected the Specific option, click the green [+] icon and then select one or more LDAP Account Units.

RADIUS Secondary IP and Dual Stack Support

The RADIUS server can send one message with two IP addresses, rather than a message for each address.

With this feature, you can get two IP addresses from the RADIUS message and two different sessions are created, one for each IP.

To configure secondary IP or dual stack:

  1. Access the Security Gateway with an SSH connection or console.
  2. Log in to Expert mode.
  3. Run:

    pdp radius ip set <attribute index>

    Where <attribute index> is the RADIUS index with the secondary IP address value (this is similar to the User IP index that you can set in SmartConsole).

    Note - If the secondary IP index is 26 (Vendor-Specific), you must add the vendor-specific attribute index of the message that contains the secondary IP:

    pdp radius ip set <attribute index> -a <vendor specific attribute index>

    You can also set the server to handle RADIUS messages from a specified Vendor code:

    pdp radius set ip <attribute index> -a <vendor specific attribute index> -c <vendor code>

    This is a sample command to configure a Cisco-AVPair:

    pdp radius ip set 26 -a 1 -c 9

RADIUS Attribute Parsing

This feature allows parsing string or text data in RADIUS messages. The parser finds a string between a predefined prefix and suffix.

For example, if the message is in the form of ###data@@@, you can set the parser with the prefix # and suffix @ to find data.

To configure RADIUS Attribute parsing:

Run: pdp radius parser set <attribute index> [-p <prefix>] [-s <suffix>]

Where <attribute index> is the RADIUS index with the value, which requires parsing.

<prefix> and <suffix> are the parsing options.

If the message is <text1><prefix><text2><suffix><text3>, the parser returns <text2>.

Example:

message is: username=test;
prefix is: username=
suffix is: ; (semi-colon)
parsed text is: test

You can specify a prefix, or a suffix. If you specify only one, the parser takes out only what you specified.

Note - If the attribute index is 26 (vendor-specific), you must add the vendor-specific attribute index:
pdp radius parser set <attribute index> -a <vendor specific attribute index> -p <prefix> -s <suffix>

You can also set the server to handle RADIUS messages from a specified vendor code:
pdp radius parser set <attribute index> -a <vendor specific attribute index> -c <vendor code> -p <prefix> -s <suffix>

Receiving Groups from RADIUS Messages

With this feature, you can read the user or computer groups from the RADIUS message and calculate Access Roles accordingly.

To configure group fetching from RADIUS messages:

Where <attribute index> is the RADIUS index with the groups value, -u sets user groups and –m sets computer groups and <delimiter> is the delimiter used to split multiple groups in one message.

For example, if you want to fetch user groups, and the message is "group1;group2;group3", then set the delimiter to ";" using this command:

pdp radius groups set –u <attribute index> -d ";"

Note - If the attribute index is 26 (vendor-specific), you must add the vendor-specific attribute index:

pdp radius groups set –u <attribute index> -a <vendor specific attribute index> -d <delimiter>

You can also set the server to handle RADIUS messages from a specific vendor code:

pdp radius groups set –u <attribute index> -a <vendor specific attribute index> -c <vendor code> -d <delimiter>

When receiving groups from RADIUS messages is enabled, the Identity Awareness Gateway does not fetch groups from other servers for RADIUS accounting users or computers.