Configuring RADIUS or TACACS/TACACS+

These are the options to enable connectivity between Virtual Systems and a RADIUS or TACACS/TACACS+ server:

Shared configuration: All authentication servers are accessible by all Virtual Systems through the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0.. This is the default option.
Private configuration: Authentication servers are accessed directly by the Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS. and use the Virtual System cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. IP address as the source address.

For Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. configurations, make sure that you configure the SecurID or Remote Authentication settings of the Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages the Virtual Systems.

Configuring Shared Authentication

Configure shared authentication so that all the Virtual Systems on the VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway authenticate to the remote RADIUS or TACACS/TACACS+ server.

To configure shared authentication for RADIUS or TACACS/TACACS+:

Configure shared authentication on the Virtual Systems.
1. Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Management Server.
2. From the Gateways & Servers view or Object Explorer, double-click the Virtual System.
  
  The Virtual Systems General Properties window opens.
3. From the navigation tree, select Other > Authentication.
4. Make sure that RADIUSor TACACSand Shared are selected.
5. Click OK.
  
  Do all of the previous steps for each Virtual System.
6. Install the policy on the Virtual Systems.
For cluster configurations, on the Management Server of the VSX Cluster, make sure that Hide NAT is disabled.

On Multi-Domain Server, work in the context of the Target Domain Management Server that manages the Virtual System.
1. Open the applicable table.def file. See sk98339.
2. Make sure that the no_hide_services_ports parameter contains the UDP ports for RADIUS or TACACS, or the TCP ports for TACACS+. The default ports are:
  - RADIUS - 1645
  - TACACS/TACACS+ - 49
  Sample RADIUS parameter with Hide NAT disabled:
  
  no_hide_services_ports = { <49, 6>, <49, 17>, <500, 17>, <259, 17>, <1701, 17>, <123, 17>, <1645, 17> };
3. Save the changes in the file and exit the editor.
4. In SmartConsole, install the Access Control Policy on the Virtual Systems.

Configuring Private Authentication

For private configurations, the active and standby Virtual Systems use the same encryption key to authenticate to the remote RADIUS or TACACS/TACACS+ server.

For High Availability configurations, make sure that the Active and Standby Virtual Systems on each VSX Cluster Member Security Gateway that is part of a cluster. use the same VIP address.

To configure private authentication:

Configure private authentication on the VSX Gateway and the Virtual Systems.
1. Connect with SmartConsole to the Management Server.
2. From the left navigation panel, click Gateways & Servers.
3. Double-click the VSX Gateway object.
  
  The General Properties view opens.
4. From the navigation tree, select Other> Legacy Authentication.
5. Make sure that RADIUSor TACACSare selected.
6. Click OK.
  
  Do all of the previous steps for each Virtual System.
7. In SmartConsole, install the Access Control Policy on the Virtual Systems.
For VSX Cluster configurations:

On the Management Server, make sure that Hide NAT is enabled.

For Multi-Domain Server, use the Domain Management Server that manages the Virtual System.
1. Edit the applicable table.def file (see sk98339) in a plain-text editor.
2. Make sure that the no_hide_services_ports parameter DOES NOT contain the UDP ports for RADIUS or TACACS, or the TCP ports for TACACS+.
  
  The default ports are:
  - RADIUS - 1645
  - TACACS/TACACS+ - 49
  Sample parameter with Hide NAT enabled:
  
  no_hide_services_ports = { <500, 17>, <259, 17>, <1701, 17>, <123, 17> };
3. Save the changes in the file and exit the editor.
4. In SmartConsole, install the Access Control Policy on the Virtual Systems.