Configuring RADIUS Accounting
For the overview, see RADIUS Accounting.
Configure RADIUS Accounting in the RADIUS Accounting Settings window. In the Check Point Gateway window > Identity Awareness page, click RADIUS Accounting > Settings.
You must enable RADIUS Accounting on Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. before they can work as a RADIUS Accounting server:
-
In the SmartConsole Gateways & Servers view, open the Security Gateway.
-
On the General Properties page, make sure that Identity Awareness is enabled.
-
On the Identity Awareness page, select RADIUS Accounting.
Gateway interfaces must be authorized to accept connections from RADIUS Accounting clients:
-
In the RADIUS Client Access Permissions section, click Edit.
-
Select Security Gateway interfaces that can accept connections from RADIUS Accounting clients:
-
All Interfaces - All Security Gateway interfaces can accept connections from RADIUS Accounting clients (default).
-
Internal Interfaces - Only explicitly defined internal Security Gateway interfaces can accept connections from RADIUS Accounting clients.
-
Including undefined internal interfaces - In addition, accepts connections from internal interfaces without a defined IP address.
-
Including DMZ internal interfaces - In addition, accepts connections from clients located in the DMZ.
-
-
Firewall Policy - The Firewall policy allows interface connections.
-
-
Enter or select the RADIUS server port (default = 1813).
|
Important - The All Interfaces and Internal Interface options have priority over Firewall Policy rules. If a Firewall rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. is configured to block connections from RADIUS Accounting clients, connections continue to be allowed when one of these options are selected. |
An Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway accepts RADIUS Accounting requests only from authorized RADIUS Accounting clients. A RADIUS Accounting client is a host with a RADIUS client software installed:
-
In the Authorized RADIUS Clients section of the RADIUS Accounting window, click the + icon and select a RADIUS Accounting Client from the list.
Click New to create a specified new host object for the RADIUS Accounting client. This host object is selected automatically.
Click the [ - ] - icon to remove a current RADIUS client from the list.
-
Click Generate to create a strong, shared secret for client authentication. This shared secret applies to all host objects in this list.
You can manually enter a shared secret. It is not necessary to generate a new shared secret when you add or remove clients from the list.
RADIUS Accounting Messages contain identity, authentication and administrative information for a connection. This information is contained in predefined attributes of the RADIUS Accounting Message packet.
The Message Attributes Indices section tells Identity Awareness, which attributes in RADIUS Accounting Messages contain identity information used by Identity Awareness:
-
Device name - RADIUS device-name attribute.
-
User name - RADIUS user-name attribute.
-
IP Address - RADIUS IP address attribute.
Select a message attribute for each of these values. The default attributes are correct for many Identity Awareness configurations.
|
Note - Vendor-Specific (26) is a user-defined attribute. There can be more than one Vendor-Specific attribute in a RADIUS Accounting message, each with a different value. |
A sub-index value is assigned to each Vendor-Specific attribute in a message. This lets Identity Awareness find and use the applicable value.
To configure message attributes:
-
Select a message attribute from the list for each index field.
-
If you use the Vendor-Specific (26) attribute, select the applicable sub-index value.
You can create a specified user session timeout. This parameter is the maximum time that a user session stays open without receiving an Accounting Start or Interim-Update message from the RADIUS Accounting client. To create the specified session timeout, enter or select a value in minutes (default = 720).
You can select, which LDAP Account Units the Security Gateway searches for user or device information, when it gets a RADIUS Accounting request. LDAP Account Units are configured in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..
To make the specified authorized LDAP Account Units:
-
Click the Settings button, located below the LDAP Account Units heading.
-
In the LDAP Account Units window, select one of these options:
-
Any - Searches all defined LDAP Account Units for user or device information.
-
Specific - Searches only the specified LDAP Account Units for user or device information.
-
Click + to add an authorized LDAP Account Unit.
-
Click [ - ] - to remove an authorized LDAP Account Unit.
-
-
-
If you selected the Specific option, click the green [+] icon and then select one or more LDAP Account Units.
The RADIUS server can send one message with two IP addresses, rather than a message for each address.
With this feature, you can get two IP addresses from the RADIUS message and two different sessions are created, one for each IP.
To configure secondary IP or dual stack:
-
Use an SSH connection or console to get access to the Security Gateway.
-
Log in to the Expert mode.
-
Run:
pdp radius ip set < attribute index >
Where < attribute index > is the RADIUS index with the secondary IP address value (this is similar to the User IP index that you can set in SmartConsole).
Note
-
If the secondary IP index is 26 (Vendor-Specific), you must add the vendor-specific attribute index of the message that contains the secondary IP:
pdp radius ip set < attribute index > -a < vendor specific attribute index >
-
You can set the server to handle RADIUS messages from a specified Vendor code:
pdp radius set ip < attribute index > -a < vendor specific attribute index> -c <vendor code >
This is a sample command to configure a Cisco-AVPair:
pdp radius ip set 26 -a 1 -c 9
-
This feature allows parsing string or text data in RADIUS messages. The parser finds a string between a predefined prefix and suffix.
For example, if the message is in the form of ###data~~@
, you can set the parser with the prefix #
and suffix @
to find data
.
To configure RADIUS Attribute parsing:
Run:
|
Where < attribute index > is the RADIUS index with the value, which needs parsing.
< prefix > and < suffix > are the parsing options.
If the message is < text1 >< prefix >< text2 >< suffix >< text3 >, the parser returns < text2 >.
Example:
message is: username=test;
prefix is: username=
suffix is: ; (semi-colon)
parsed text is: test
You can specify a prefix, or a suffix. If you specify only one, the parser takes out only what you specified.
|
Note
|
With this feature, you can read the user or computer groups from the RADIUS message and calculate Access Roles accordingly.
To configure group fetching from RADIUS messages:
-
Run:
pdp radius group set -u <attribute index> -d <delimiter>
-
Run:
pdp radius group fetch on
Where < attribute index > is the RADIUS index with the groups value, -u sets user groups and -m sets computer groups and < delimiter > is the delimiter used to split multiple groups in one message.
For example, if you want to fetch user groups, and the message is "group1;group2;group3
", then set the delimiter to ";" using this command:
|
|
Note
When receiving groups from RADIUS messages is enabled, the Identity Awareness Gateway does not fetch groups from other servers for RADIUS accounting users or computers. |