Creating a User Account with RADIUS Server Authentication

Remote Authentication Dial-In User Service (RADIUS) is an external authentication method that provides security and scalability by separating the authentication function from the access server.

With RADIUS, the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. lets you control access privileges for authenticated RADIUS users, based on the administrator's assignment of users to RADIUS groups. These groups are used in the Security Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. to restrict or give users access to specified resources. Users are unaware of the groups to which they belong.

The Security Gateway forwards authentication requests by remote users to the RADIUS server. The RADIUS server, which stores user account information, does the authentication.

The RADIUS protocol uses UDP to communicate with the Security Gateway.

To use RADIUS groups, you must define a return attribute in the RADIUS user profile of the RADIUS server. This attribute is returned to the Security Gateway and contains the group name (for example, RAD_<group to which the RADIUS users belong>) to which the users belong.

For the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. operating system, use the attribute "Vendor-Specific" (26) - refer to RFC 2865.

To learn how to configure a RADIUS server, refer to the vendor documentation.

Users can perform RADIUS authentication through a RADIUS server or a RADIUS server group. A RADIUS server group is a high availability group of identical RADIUS servers which includes any or all the RADIUS servers in the system. When you create the group, you define a priority for each server in the group. If the server with the highest priority fails, the one with the next highest priority in the group takes over, and so on. If you assign the same priority to all RADIUS servers, the Security Gateway will randomly select one of them for authentication.

After you configure authentication with a RADIUS server, you can, in addition, configure authentication with a certificate file. The user can then authenticate to the Security Gateway with the RADIUS server or the certificate file.

Configuring RADIUS Authentication for a User

    1. In the top right corner, click the Objects panel.

    2. Click New > More > Server > RADIUS.

    3. In the top field, enter the applicable object name.

    4. Optional: Enter the comment.

    5. In the Host field, click the drop-down arrow, click New.

    6. Create a New Host with the IP address of the RADIUS server. Click OK.

    7. Make sure that this host shows in the Host field of the New RADIUS window.

    8. In the Service field, leave the default value RADIUS.

    9. In the Shared Secret field, enter the secret key that you defined previously on the RADIUS server.

    10. In the Version field, leave the default value RADIUS Ver. 1.0.

    11. In the Protocol field, leave the default value PAP.

    12. In the Priority field, leave the default value 1.

    13. Click OK.

    14. Publish the SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. session.

    1. In the top right corner, click the Objects panel.

    2. Click New > More > User/Identity > User.

      The New User window opens.

    3. Choose the applicable user template and click OK.

    4. In the top field, enter the applicable object name.

      This must be a unique, case sensitive character string.

      If you generate a user certificate with a non-Check Point Certificate Authority, enter the Common Name (CN) component of the Distinguished Name (DN).

      For example:

      If the DN is: CN = James, O = My Organization, C = My Country

      then enter James as the user name.

      If you use Common Names as user names, they must contain exactly one string with no spaces.

    5. Optional: Enter the comment.

    6. On the General page, configure the applicable settings:

      • Email address (optional)

      • Mobile phone number (optional)

      • Expire at

        This is the date, after which the user is no longer authorized to access network resources and applications.

        The default expiration date is configured in Menu > Global Properties > User Accounts > Expiration Date.

    7. On the Groups page, you can select the applicable user group objects (in addition or instead those configured in the user template).

    8. On the Authentication page:

      1. In the Authentication method field, select RADIUS.

      2. In the RADIUS server field, leave the default value Any or select the applicable RADIUS server object.

      Important - If you do not select an authentication method, the user cannot log in or use network resources.

    9. On the Location page:

      1. Configure the allowed sources from which this user can access or send data and traffic.

        These objects must already exist before you can select them.

      2. Configure the allowed destinations to which this user can access or send data and traffic.

        These objects must already exist before you can select them.

    10. On the Time page:

      If the user has specific working days or hours, you can configure when the user can be authenticated for access.

      • From and To - Enter start time and end time of an expected workday. This user will not be authenticated if a login attempt is made on a time outside the given range.

      • Days in week or Daily - Select the days on which the user can authenticate and access resources. This user will not be authenticated if a login attempt is made on an unselected day.

    11. On the Certificates page:

      You can configure the applicable certificates for this user for more secured access control.

      1. Click New.

      2. Select the applicable option:

        • Registration Key for certificate enrollment

          Sends a registration key that activates the certificate.

          1. Enter the number of days the user has to activate the certificate, before the registration key expires.

          2. Optional: Enter a comment.

          3. Optional: Click Template to preview the email template.

          4. Click Send.

          5. Click OK to save this key.

        • Certificate file (p12)

          Creates a *.p12 certificate file with a private password for the user.

          1. Enter and confirm the certificate password.

            A password is required to protect the sensitive data in the certificate file.

          2. Optional: Enter a comment.

          3. Click OK.

          4. Wait for the Save As window to open.

          5. In the File name field, make sure to include the username.

          6. In the Save as type field, select Certificate Files (*p12).

            The certificate file is in the PKCS #12 format, and has a .p12 extension.

          7. Browse to a secure location on the SmartConsole computer.

          8. Click Save.

          9. Give the user this file and password.

      3. Click OK.

      Notes:

      • If a user will not be in the system for some time (for example, going on an extended leave), you can revoke the certificate. This leaves the user account in the system, but it cannot be accessed until you renew the certificate.

      • To revoke a key / certificate, select the key / certificate and click Revoke.

    12. On the Encryption page:

      You can configure the IKEv2 authentication and encryption settings for Remote Access VPN.

      1. Select IKE.

      2. Click Edit.

        The encryption IKE Phase 2 Properties window opens.

      3. On the Authentication page, select the authentication schemes:

        1. Password - The user authenticates with a pre-shared secret password.

        2. Public Key - The user authenticates with a public key contained in a certificate file.

      4. On the Encryption page, there are no settings to configure.

        Youy configure these algorithms in SmartConsole > Global Properties > Remote Access > VPN - Authentication > section Encryption algorithms.

      5. Click OK.

    13. Click OK.

    1. In SmartConsole, configure all the servers that you want to include in the server group. For each server, enter its priority in the group. The lower the number is, the higher the priority. For example, if you create a group with 3 servers, with priorities 1,2 and 3, the server with number 1 is approached first, the server with number 2 second, and the server with number 3, third.

    2. Create the server group:

      In SmartConsole, go to Object Explorer and click New > Server > More > RADIUS Group.

    3. Configure the group properties and add servers to the group:

      1. Give the group a Name. It can be any name.

      2. Click the plus (+) for each server you want to add, and select each server from the drop-down list.

      3. Click OK.

      4. Publish the SmartConsole session.

    4. Add a new user.

    5. Publish the SmartConsole session.

    6. Install the Access Control Policy.

Granting User Access Using RADIUS Server Groups

The Security Gateway lets you control access privileges for authenticated RADIUS users, based on the assignment of users to RADIUS groups. These groups are used in the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. to restrict or give users access to specified resources. Users are unaware of the groups to which they belong.

To use RADIUS groups, you must define a return attribute in the RADIUS user profile of the RADIUS server. This attribute is returned to the Security Gateway and contains the group name (for example, RAD_<group to which the RADIUS users belong>) to which the users belong.

Use the RADIUS attribute "Vendor-Specific" (26). Refer to RFC 2865.