 | ||
 Integration with RADIUS | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2005-08-13 | |||
| |||
 Integration with RADIUS Integration with RADIUS FireWall-1 3.0 integrates with any Radius 1.x compliant server using simple password authentication. FireWall-1 4.0 will work with any 1.x or 2.x server. I have personally verified that it functions with FireWall-1 3.0b and Livingston's Radius Server v1.16.1 running on Red Hat Linux 5.1. There are a few steps: Add Firewall to RADIUS Server's clients File The clients file (in /etc/raddb on Unix stations) contains entries that are of the format radius-client shared-secret The 'radius-client' in this case is your firewall. Note that this should reflect the hostname your firewall resolves as on your RADIUS server. You may need to do some debugging to get the right hostname here. The 'shared-secret' is a password that both the RADIUS client (your firewall) and the RADIUS server will use for encryption when communicating with each other. In FireWall-1 3.x, I've heard that shared secrets beginning with a number or the letter 'f' have problems. I'm not sure if FireWall-1 4.x has these problems. Add Users in RADIUS Server's users File You may not need to do this if you already have existing Radius users in your database file (typically in /etc/raddb on Unix). If you are setting up "new" users, your user entries would look something like this: phoneboy Password = "abc123", Expiration = "Dec 31 1999" User-Service-Type = Login-User Note that there are other entries one can put in the users file (options for PPP, etc) are not used by FireWall-1. The only ones that FireWall-1 cares about are the ones listed above. Note if you install a Radius server on a Unix or NT machine and you want to use the existing users configured in the OS for authentication, make sure you have an entry in the users file that looks like this: DEFAULT Auth-Type = System, User-Service-Type = Login-User Create RADIUS Service (Optional) In FireWall-1 4.x, you can use Radius on a non-standard port. You will need to create the Radius service as appropriate. The default port for radius is UDP 1645. Create RADIUS Server Object You will need to create a workstation object for your RADIUS server in your Security Policy Editor. Nothing special here. You will then create a 'Server' object of type Radius. Specify the host (the workstation object you created previously), the service Radius will run on (this is only available in FireWall-1 4.x), the shared secret you specified on the RADIUS server, and the Version (note that FireWall-1 3.x only supports RADIUS v1.0). Create RADIUS Users on the Firewall Create the necessary users in the firewall, using authentication type RADIUS. If you have lots of users and would prefer not to have to enter them into the Firewall configuration, create a user with the name generic* and configure it for RADIUS authentication. This will cause all "unknown" users to be passed to the RADIUS server for validation. Create Rules for Authentication You can now create normal authentication rules (e.g. User Auth, Client Auth, Session Auth). However, in some cases, you may also need to add a rule permitting communication between your firewall and your RADIUS server. This rule should be listed before your stealth rule. The rule would look like: Source Destination Service Action Firewall RADIUS-Server radius Accept -- PhoneBoy - 30 Dec 2003 FAQForm FAQs.Class: AuthenticationFAQs FAQs.OS: FAQs.Version:  |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
