This post describes how to configure Check Point Security Management Server to authenticate users against a Windows 2008 R2 NPS RADIUS Server.

Create Active Directory Groups

Create a new Active Directory group for administrators requiring Read/Write permissions e.g “Firewall Management RW”

Add users requiring Read/Write permissions to the new group

Create a new Active Directory group for administrators requiring Read/Only permissions e.g “Firewall Management RO”

Add users requiring Read/Only permissions to the new group

RADIUS Server Configuration

Open “Network Policy Server”

Select “RADIUS Clients and Servers” and “RADIUS Clients”

Define a new RADIUS client. Enter a Friendly name, IP Address and Shared secret (this is the same shared secret you will need to use when defining the RADIUS server later in the procedure)

Click OK

Click “Policies” and then “Network Policies”

Create new Network Policy

Select appropriate Policy name e.g “Read/Write Check Point Management”, Click Next

Specify conditions, select “Windows Groups” and chose the Active Directory group “Firewall Management RW”, Click Next

Ensure “Access Granted” is select, Click Next

Tick “Unencrypted authentication (PAP, SPAP), Click Next

Click Next and Finish

Repeat the procedure and create a policy for Read/Only authentication, ensure the “Windows Groups” is the group created for Read Only access

Check Point Security Management Server Configuration

Click “Manage” and select “Servers and OPSEC Applications”

Click “New” and select “RADIUS”

Type a suitable name e.g “RADIUS_Server”

Either create a new host or select an existing host for the server that is running RADIUS

Type in a “Shared Secret” (this is the same as previously defined on the NPS server)

Click “OK”, then “Close”

From the “Manage” menu select “Permissions Profiles…”

Select “New” then select “Permissions Profile”

Name the profile appropriately e.g “Mgmt_RW”

Select “Read/Write All” permissions

Once complete select “OK”

Repeat the process and create and additional Permissions Profile called “Mgmt_RO” and select “Read Only All” permissions

Once profiles created close the “Permissions Profile” window

From the “Manage” menu select “Users and Administrators”

Select “New” and select “Administrator…”

Enter the User Name for the administrator requiring Read/Write permissions, ensure the username matches exactly the user account name in Active Directory

Enter comment, email address, phone number and expiration date if required

Select the Read/Write permissions profile

Select the “Authentication” tab on the left and change the “Authentication Scheme” to RADIUS

Select the newly created RADIUS server object

Repeat the procedure to create an administrator with Read/Only permissions

Click Close

Save the configuration

Open one of the SmartConsole applications and attempt authentication using both the RW and RO user accounts. You will notice the RO account is in “Read/Only mode and options are greyed out

Published by integratingit

2 thoughts on “Configuring Check Point Security Management Server with RADIUS Authentication

Leave a reply to Reginaldo Moreno Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.