Creating a User Account with RADIUS Server Authentication
Remote Authentication Dial-In User Service (RADIUS) is an external authentication method that provides security and scalability by separating the authentication function from the access server.
With RADIUS, the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. lets you control access privileges for authenticated RADIUS users, based on the administrator's assignment of users to RADIUS groups. These groups are used in the Security Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. to restrict or give users access to specified resources. Users are unaware of the groups to which they belong.
The Security Gateway forwards authentication requests by remote users to the RADIUS server. The RADIUS server, which stores user account information, does the authentication.
The RADIUS protocol uses UDP to communicate with the Security Gateway.
To use RADIUS groups, you must define a return attribute in the RADIUS user profile of the RADIUS server. This attribute is returned to the Security Gateway and contains the group name (for example, RAD_<group to which the RADIUS users belong>) to which the users belong.
For the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. operating system, use the attribute "Vendor-Specific" (26) - refer to RFC 2865.
To learn how to configure a RADIUS server, refer to the vendor documentation.
Users can perform RADIUS authentication through a RADIUS server or a RADIUS server group. A RADIUS server group is a high availability group of identical RADIUS servers which includes any or all the RADIUS servers in the system. When you create the group, you define a priority for each server in the group. If the server with the highest priority fails, the one with the next highest priority in the group takes over, and so on.
After you configure authentication with a RADIUS server, you can, in addition, configure authentication with a certificate file. The user can then authenticate to the Security Gateway with the RADIUS server or the certificate file.
To configure RADIUS server authentication for a user
-
In SmartConsole, configure a new RADIUS Server object
-
Go to the Object Explorer and select New > More > Server > RADIUS.
-
Give the server a Name. It can be any name.
-
In the Host field, click the drop-down arrow, click New and create a New Host with the IP address of the RADIUS server.
-
Click OK.
-
Make sure that this host shows in the Host field of the New Radius window.
-
In the Shared Secret field, type the secret key that you defined previously on the RADIUS server.
-
Click OK.
-
Publish the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. session.
-
-
Create a new user and define RADIUS as the authentication method
-
In the Object Explorer (F11), click New > More > User/Identity > User.
The New User window opens.
-
Select a template and Click OK.
-
Enter a User Name - A unique, case sensitive character string.
If you generate a user certificate with a non-Check Point Certificate Authority, enter the Common Name (CN) component of the Distinguished Name (DN).
For example, if the DN is
[CN = James, O = My Organization, C = My Country]
, then enterJames
as the username. If you use Common Names as user names, they must contain exactly one string with no spaces. -
Configure the user's General Properties:
-
Select an Expiration Date - The date, after which the user is no longer authorized to access network resources and applications. By default, the date defined in the main menu > Global Properties > User Accounts > Expiration Date shows as the expiration date.
-
Optional settings: Comment, Email Address, Mobile Phone Number.
-
-
In Groups - Use this window to add users to user groups.
-
Configure the user's Authentication: From the drop-down menu, select RADIUS.
Important - If you do not select an authentication method, the user cannot log in or use network resources.
-
In Location, select objects from which this user can access or send data and traffic.
In the Allowed locations section:
-
Sources - Click Add, to add selected objects to this user's permitted resources. The user can get data and traffic from these objects.
-
Destination - Click Add, to add selected objects to this user's permitted destinations. The user can send data and traffic to these objects.
-
-
In Time - If the user has specific working days or hours, you can configure when the user can be authenticated for access.
-
From and To - Enter start time and end time of an expected workday. This user will not be authenticated if a login attempt is made on a time outside the given range.
-
Days in week or Daily - Select the days on which the user can authenticate and access resources. This user will not be authenticated if a login attempt is made on an unselected day.
-
-
In Certificates:
Generate and register SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. certificates for user accounts. This authenticates the user in the Check Point system. Use certificates with required authentication for added access control.
-
Click New.
-
Select key or
p12
file:-
Registration key for certificate enrollment - Select to send a registration key that activates the certificate. When prompted, select the number of days the user has to activate the certificate, before the registration key expires.
-
Certificate file (p12) - Select to create a
.p12
certificate file with a private password for the user. When prompted, enter and confirm the certificate password.
-
-
Click OK.
-
In Encryption:
If the user accesses resources from a remote location, traffic between the remote user and internal resources will be encrypted. Configure encryption settings for remote access users.
-
Select an encryption method for the user.
-
Click Edit.
The encryption Properties window opens.
The next steps are for IKE Phase 2. The options can be different for different methods.
-
Open the Authentication tab.
-
Select the authentication schemes:
-
Password - The user authenticates with a pre-shared secret password. Enter and confirm the password.
-
Public Key - The user authenticates with a public key contained in a certificate file.
-
Click OK.
-
Click OK.
If a user is not in the system for some time (for example, when going on an extended leave), you can revoke the certificate. This leaves the user account in the system, but the user cannot access it until you renew the certificate.
To revoke a certificate, select the certificate and click Revoke.
-
-
Optional: Configure a RADIUS server group for SmartConsole user authentication
-
In SmartConsole, configure all the servers that you want to include in the server group. For each server, enter its priority in the group. The lower the number is, the higher the priority. For example, if you create a group with 3 servers, with priorities 1,2 and 3, the server with number 1 is approached first, the server with number 2 second, and the server with number 3, third.
-
Create the server group:
In SmartConsole, go to Object Explorer and click New > Server > More > RADIUS Group.
-
Configure the group properties and add servers to the group:
-
Give the group a Name. It can be any name.
-
Click the plus (+) for each server you want to add, and select each server from the drop-down list.
-
Click OK.
-
Publish the SmartConsole session.
-
-
Add a new user.
-
Publish the SmartConsole session.
-