Thread: A question of a RADIUS newbie
View Single Post
  #2 (permalink)  
Old 2006-11-02
jayws jayws is offline
Junior Member
  
Join Date: 2006-11-02
Posts: 1
Rep Power: 0
jayws has an average reputation (10+)
Default Re: A question of a RADIUS newbie
Try WIndows IAS, comes with your Windows OS, anyway!! (Servers of course), how to configure?....checkout this post

Note, this post belongs to someone else, i just copied it long time ago and used it since, very helpful and works in most of my radius + CP installs.

Jay


STEP1 On Check Point FW-1/VPN-1 NG-AI

Also works on NG FP3 -- MichaelHuber - 02 Apr 2004

1. Create a MS_RADIUS_SRV node – e.g. 192.168.1.21 2. Create RADIUS Server Object
• Manage -> Servers and OPSEC Applications… -> New – RADIUS
• Name: MS_RADIUS
• Host: MS_RADIUS_Srv
• Service: UDP NEW-RADIUS
• Shared Secret: xxxxx
• Version: RADIUS Ver. 2.0 Compatible
• Priority: 1

3. Create a FW rule if it is necessary
• Source: FW Internal Interface (e.g. 192.168.1.1)
• Destination: MS_RADIUS_Srv
• Service: UDP NEW-RADIUS (Port 1812)

4. Create gerneric* user and Group VPN_Users
• Manage -> Users and Administrators… -> New -> User called generic*
• Belongs to VPN_Users
• Authetication
o Authetication Scheme: RADIUS
o Select a RADIUS Server or Group of Servers: MS_RADIUS
o Allowed Location: internal-networks
• Add the group to Participant User Groups of your Remote Access Community
• Add the remote VPN FW if necessary



Running NG/AI R54, the usernam generic* is a reserved word. I had to use: "External User Profiles->New->Match_All_Users" to create the generic* user. -- DavidBotham? - 06 Jan 2004

This is also true for NG FP3 -- MichaelHuber - 02 Apr 2004



STEP 2 Configure MS RADIUS - IAS (Internet Authentication Service)



1. Install MS IAS on a Windows 2000 Server

2. Open IAS and right click on Internet Authentication Service (Local) -> Register Service in Active Directory

3. Create a new client
• In Client Address field, enter your FW Internal interface IP address. For Nokia IP clustering, don’t enter the cluster IP (at least, it doesn’t work for me). Instead create two clients each has its own IP address.
• Uncheck “Client must always send the signature attribute in the request”
• Enter your Shared Secret

4. Create a new Remote Access Policy
• Add Windows-Groups: Create a Windows 2000 Security Group with any user account whose Remote Access Permission (Dial-in or VPN) is allowed
• Add Service-Type -> Authenticate Only
• NAS-IP-Address: your FW external IP
• Edit Profile…
o Advanced: add Service-Type and attribute value: Authenticate Only
o Encryption: Strong
o Authentication: Unencrypted Authentication (PAP, SPAP)

5. Use Active Directory Users and Computers to set Remote Access Permission
• Users (select user and open Properties)
• Select Dial-in tab
• Under Remote Access Permission (Dial-in)
o Select Allow access

6. Add user to group created above

Note:

* Windows Group, Service-Type, and NAS-IP-Address are selected based on my Ethereal result:





** Check MS IAS document at http://www.microsoft.com/windows2000/docs/IAS.doc

* Fore troubleshooting, use Event Viewer on RADIUS server and CP SmartView? Tracker

-- PhoneBoy - 30 Dec 2003

-- MichaelHuber - 02 Apr 2004

FAQForm FAQs.Class: AuthenticationFAQs FAQs.OS: FAQs.Version: NG
Reply With Quote