Configuring Check Point Gaia with Windows NPS RADIUS Authentication

 

This post describes how to configure Check Point Gaia (R75.46) and Windows 2008 R2 NPS server to authenticate management access to the Check Point CLI or Web GUI. Please refer to the previous post to configure the Active Directory Groups and NPS Policies.

2 roles will be created in the Check Point Web GUI, one with Read Only permissions and another with Read Write. The NPS RADIUS Policy will match the Check Point roles to an Active Directory group and the members of these groups will be assigned the appropriate role when they login.


 

Modify the NPS Network Policies

 

NOTE – The configuration of NPS policies was covered a previous blog post here

 

Open Network Policy Server and select Network Policies

Open the Network Policy for R/W access “Read/Write Check Point Management”

 

 

Select the “Settings” tab

Select “Vendor Specific”

Click “Add” and select “Vendor-Specific”

Click “Add” to enter a new attribute

Click “Enter Vendor Code” and type “2620

Select “Yes, it confirms”

Click “Configure Attribute…”

Enter “Vendor-assigned attribute number” as “229

Enter “Attribute format” as “String

Enter “Attribute value” as “radius-group-RW

 

Repeat the process for the Network Policy for Read Only access “Read/Only Check Point Management”

When prompted to enter the “Attribute value” enter “radius-group-RO

 

Configure the Check Point Authentication Server

 

Login to the Check Point Web GUI

Select “User Management”, then “Authentication Servers”

Click “Add”

Type the IP address of the NPS RADIUS server in the “Host” field

Select the UDP port if not using default

Click OK

Select “Network Access Server (NAS)” interface

 

Create the Check Point Roles from Web GUI

 

Select “User Management”, then “Roles”

Click “Add to create a new role, define the name as “radius-group-RW”

For each Feature listed, select the down arrow to the left and select Read/Write. Repeat for all Feature you wish to assign to this role

Select the “Extended Commands” tab

Activate all commands required

 

Once all features and commands are configured, click Ok

Click “Add” and create a new role called “radius-group-RO”, select all features and grant Read/Only permissions

 

Test Authentication

 

Once the NPS Network Policies and Check Point roles have been created, a user that is a member of the Domain group “Firewall Management RO” that logins in to the Web GUI or the Gaia CLI they will be dynamically assign membership to the “radius-group-RO” and access all features defined in that role.

Depending on what features you granted Read/Only access to not all features will be visible in the menu

Notice options are greyed out and the page states “this page is currently in read-only mode”

Login to the Web GUI using a test account that is a member of the Read/Write group

Notice the options are not greyed out and you are able to make changes

 

 

That’s about it, any issues let me know

 

 

One thought on “Configuring Check Point Gaia with Windows NPS RADIUS Authentication”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s