This section describes how to integrate Check Point Gateway Identity Awareness with RSA Authentication Manager using RADIUS.

Configure RSA Authentication Manager

Perform these steps to configure RSA Authentication Manager using Radius.

Procedure

1. Log in to Security Console.

2. Go to RADIUS > RADIUS Servers and make a note of the IP address of the selected RADIUS server.

3. Go to RADIUS > RADIUS Clients > Add New.
4. On the Add RADIUS Client page enter the following details: 

1. 1. Client Name: Enter a descriptive name for the Radius client.
   2. IPv4 Address: Enter the IP address of the Radius client.
   3. Make / Model: Select CheckPoint from the drop-down menu.
   4. Shared Secret: Create and enter a secure shared secret. This secret will be used for secure communication between the Radius client and the Radius server.

5. Click Save & Create Associated RSA Agent.
6. Click Save. 
7. Confirm by clicking Yes, Save Agent.

Notes

• RSA Authentication Manager RADIUS server listens on ports UDP 1645 and UDP 1812.
• The relationship of agent host record to RADIUS client in the Authentication Manager can 1 to 1, 1 to many or 1 to all (global).
• Shared Secret must be an alphanumeric string between 1 and 31 characters in length and is case-sensitive.

Configure Check Point Identity Awareness

Perform these steps to configure RSA Authentication Manager using Check Point Identity Awareness. 

Procedure

1. Log in to Check Point SmartConsole desktop application with admin credentials.
2. From the left pane, go to Gateways & Servers tab.
3. Double click the required deployed Check Point Gateway.

4. In General properties of the gateway, ensure that Identity Awareness is enabled. 

Note: If Identity Awareness is not enabled, follow the prompt to enable the service. During this process, the Identity Awareness portal URL will be configured, and end users will be redirected to it when Identity Awareness is triggered by the configured policies.

5. In the Gateway & Servers tab, click New > More > Server > RADIUS.

6. In the RADIUS Server window, go to Host choose the RADIUS server host.

Note: If the RADIUS server host is not yet configured in the dropdown list, create a new host by entering the Identity Router Management Interface IP address obtained from the RSA. Then, select the RADIUS service, which uses port 1812, and enter the shared secret that was configured in the RSA.

7. In SmartConsole, click the Gateways & Servers panel.
8. Open the Security Gateway object. In the left pane, click Identity Awareness, enable Browser-Based Authentication and select Settings.
9. In the Access Settings, choose how end users will access this portal from to the following options: 
   1.  All interfaces
   2.  Internal interfaces
   3. Firewall policy

10. In Authentication Settings, select RADIUS as the Authentication Method. 
11. Select the RADIUS server configured previously from the dropdown menu. 
12. In the User Directories section, enter the following information: 

1. 1. Internal users: In this configuration, the users authenticated against RSA must exist locally on the Check Point SmartConsole for authentication.
   2. LDAP users: In this configuration, the users authenticated against RSA must exist on a remote Active Directory server. Check Point must be configured to connect to it successfully to fetch the users according to the LDAP lookup for authentication.

Note: You must select the LDAP Lookup Type as mail.

1. 3. External user profiles: This configuration relies on users existing outside of Check Point and LDAP. However, you must create an external user profile to authenticate users correctly.

13. In the Gateways & Servers main tab,
14. Go to Global properties > Advanced > Configure > FireWall-1 > Authentication > RADIUS.
15. Configure the values as shown in the following figure.

14. In SmartConsole, click Publish.
15. Select the applicable policy, and choose Access Control.
16. Click Install to apply the Policy.

The configuration is complete.
Return to Main page