Configure RADIUS Accounting in the RADIUS Accounting Settings window. In the Check Point Gateway window > Identity Awareness page, click RADIUS Accounting > Settings.
You must enable RADIUS Accounting on Security Gateways before they can work as a RADIUS Accounting server.
To enable RADIUS Accounting for a Security Gateway:
Gateway interfaces must be authorized to accept connections from RADIUS Accounting clients.
To select gateway interfaces:
Important - The All Interfaces and Internal Interface options have priority over Firewall Policy rules. If a Firewall rule is configured to block connections from RADIUS Accounting clients, connections continue to be allowed when one of these options are selected.
An Identity Awareness Gateway accepts RADIUS Accounting requests only from authorized RADIUS Accounting clients. A RADIUS Accounting client is a host with a RADIUS client software installed.
To configure an authorized RADIUS client:
Click New to define a new host object for the RADIUS Accounting client. This host object is selected automatically.
Click the - icon to remove an existing RADIUS client from the list.
You can manually enter a shared secret. It is not necessary to generate a new shared secret when you add or remove clients from the list.
RADIUS Accounting Messages contain identity, authentication and administrative information for a connection. This information is contained in predefined attributes of the RADIUS Accounting Message packet.
The Message Attributes Indices section tells Identity Awareness, which attributes in RADIUS Accounting Messages contain identity information used by Identity Awareness:
Select a message attribute for each of these values. The default attributes are correct for many Identity Awareness deployments.
Note - Vendor-Specific (26) is a user-defined attribute. There can be more than one Vendor-Specific attribute in a RADIUS Accounting message, each with a different value.
A sub-index value is assigned to each Vendor-Specific attribute in a message. This lets Identity Awareness find and use the applicable value.
To configure message attributes:
You can define the user session timeout. This parameter is the maximum time that a user session stays open without receiving an Accounting Start or Interim-Update message from the RADIUS Accounting client. To define the session timeout, enter or select a value in minutes (default = 720).
You can select, which LDAP Account Units the Security Gateway searches for user or device information, when it gets a RADIUS Accounting request. LDAP Account Units are configured in SmartConsole.
To define the authorized LDAP Account Units:
The RADIUS server can send one message with two IP addresses, rather than a message for each address.
With this feature, you can get two IP addresses from the RADIUS message and two different sessions are created, one for each IP.
To configure secondary IP or dual stack:
pdp radius ip set <attribute index> |
Where <attribute index> is the RADIUS index with the secondary IP address value (this is similar to the User IP index that you can set in SmartConsole).
Note - If the secondary IP index is 26 (Vendor-Specific), you must add the vendor-specific attribute index of the message that contains the secondary IP:
pdp radius ip set <attribute index> -a <vendor specific attribute index> |
You can also set the server to handle RADIUS messages from a specified Vendor code:
pdp radius set ip <attribute index> -a <vendor specific attribute index> -c <vendor code> |
This is a sample command to configure a Cisco-AVPair:
pdp radius ip set 26 -a 1 -c 9 |
This feature allows parsing string or text data in RADIUS messages. The parser finds a string between a predefined prefix and suffix.
For example, if the message is in the form of ###data@@@
, you can set the parser with the prefix #
and suffix @
to find data
.
To configure RADIUS Attribute parsing:
Run: pdp radius parser set
<
attribute index> [-p <
prefix>] [-s <
suffix>]
Where <attribute index> is the RADIUS index with the value, which requires parsing.
<prefix> and <suffix> are the parsing options.
If the message is <text1><prefix><text2><suffix><text3>, the parser returns <text2>.
Example:
message is: username=test;
prefix is: username=
suffix is: ; (semi-colon)
parsed text is: test
You can specify a prefix, or a suffix. If you specify only one, the parser takes out only what you specified.
Note - If the attribute index is 26 (vendor-specific), you must add the vendor-specific attribute index:pdp radius parser set <
attribute index> -a <
vendor specific attribute index> -p <
prefix> -s <
suffix>
You can also set the server to handle RADIUS messages from a specified vendor code:pdp radius parser set <
attribute index> -a <
vendor specific attribute index> -c <
vendor code> -p <
prefix> -s <
suffix>
With this feature, you can read the user or computer groups from the RADIUS message and calculate Access Roles accordingly.
To configure group fetching from RADIUS messages:
pdp radius group set –u <attribute index> -d <delimiter> |
|
Where <attribute index> is the RADIUS index with the groups value, -u sets user groups and –m sets computer groups and <delimiter> is the delimiter used to split multiple groups in one message.
For example, if you want to fetch user groups, and the message is "group1;group2;group3
", then set the delimiter to ";" using this command:
pdp radius groups set –u <attribute index> -d ";" |
Note - If the attribute index is 26 (vendor-specific), you must add the vendor-specific attribute index:
pdp radius groups set –u <attribute index> -a <vendor specific attribute index> -d <delimiter> |
You can also set the server to handle RADIUS messages from a specific vendor code:
pdp radius groups set –u <attribute index> -a <vendor specific attribute index> -c <vendor code> -d <delimiter> |
When receiving groups from RADIUS messages is enabled, the Identity Awareness Gateway does not fetch groups from other servers for RADIUS accounting users or computers.