How to configure Check Point GAIA for RADIUS authentication

RADIUS server: Windows 2008 R2 server with NPS (Network Policy Server)

Before we start to configure the NPS, please configure 2 security groups on your AD, the first for read-write access type users and the other for read-only access type users.

Open the NPS console

Click on RADIUS Clients and Servers

Right click on RADIUS Clients and select New

Type in the name of the device

Type in the IP address of the device,

Note that this is the IP address that the device will use for reaching the RADIUS server according to the routing table, FW policy, NAT etc.

Type in a shared secret

Click on the Advanced tab and under vendor name make sure you select RADIUS Standard

Click OK

Click on Policies

Right click on Network Policies and select New

We will have to create 2 new different policies, one for read-only access and the other for read-write policy.

Type in the policy name and click Next

On the Specify Conditions page click on Add and select Windows Groups

Select the read-write security group and click OK

Click Next

Make sure Access granted is selected and click Next

Check CHAP and PAP and click Next

On the Configured Constraints you can enable idle and session timeout

Click Next

On Configure Settings, select RADIUS Attributes -> Vendor Specific, and click Add

Select Vendor-Specific from the list and click Add

Click Add, select Enter Vendor Code, and type in 2620

Select Yes, It conforms

Click on Configure Attributes

On Vendor-assigned attribute number type 229

On Attribute format select String

On Attribute value type in radius-group-RW

Click OK, OK, OK and Close

Click Next and then Finish

Make sure the newly created policy is above the deny policies, by right click on the policy and select Move Up. Also make sure that following the condition we made there is no other policy which will take precedence over this one, else move it above it.

Repeat these steps and create one more policy for read-only access, give it appropriate name, and on the Configure Conditions -> Windows group select the RO group, and on Configure Attributes -> Attribute value change it to radius-group-RO.

Again make sure this policy is above the deny policies.

Now let’s configure the GAIA OS, log in into the web GUI

Select User Management -> Roles and click Add

In the Role Name type in radius-group-RW

Select on the Features list the required access (for adminRole select all items)

In Mark selected as choose Read/Write and click OK

Repeat these steps and create new role named radius-group-RO, select the appropriate items/features according to the access type you need to grant to read-only users, and select read-only for those items.

Next select User Management -> Authentication Servers and click Add

On Host type in your RADIUS server IP address

Type in the shared secret (the one that we used in NPS -> Network Device)

Click OK and then Apply

That’s it! 

Now log out from the web GUI and test your settings by login again using your domain username and password (note that your domain account should be a member of the security group for firewall RO or RW access)

After that I highly recommend to change the admin password to something very complex and hard, keep it on password vault and never use it again else needed.

On my next post I will show how to configure RADIUS authentication for SmartConsole access.