FireWall-1 FAQ: Integration with Radius
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
FireWall-1 3.0 integrates with any Radius 1.x compliant server using simple password authentication. FireWall-1 4.0 will work with any 1.x or 2.x server. I have personally verified that it functions with FireWall-1 3.0b and Livingston’s Radius Server v1.16.1 running on Red Hat Linux 5.1.
There are a few steps:
- [Add Firewall to RADIUS Server’s clients File](#1]
- Add Users in RADIUS Server’s users File
- Create RADIUS Service (Optional)
- Create RADIUS Server Object
- Create RADIUS Users on the Firewall
- Create Rules for Authentication
The clients file (in /etc/raddb on Unix stations) contains entries that are of the format
The ‘radius-client’ in this case is your firewall. Note that this should reflect the hostname your firewall resolves as on your RADIUS server. You may need to do some debugging to get the right hostname here.
The ‘shared-secret’ is a password that both the RADIUS client (your firewall) and the RADIUS server will use for encryption when communicating with each other. In FireWall-1 3.x, I’ve heard that shared secrets beginning with a number or the letter ‘f’ have problems. I’m not sure if FireWall-1 4.x has these problems.
You may not need to do this if you already have existing Radius users in your database file (typically in /etc/raddb on Unix). If you are setting up “new” users, your user entries would look something like this:
phoneboy Password = "abc123", Expiration = "Dec 31 1999" User-Service-Type = Login-User
Note that there are other entries one can put in the users file (options for PPP, etc) are not used by FireWall-1. The only ones that FireWall-1 cares about are the ones listed above. Note if you install a Radius server on a Unix or NT machine and you want to use the existing users configured in the OS for authentication, make sure you have an entry in the users file that looks like this:
DEFAULT Auth-Type = System, User-Service-Type = Login-User
In FireWall-1 4.x, you can use Radius on a non-standard port. You will need to create the Radius service as appropriate. The default port for radius is UDP 1645.
You will need to create a workstation object for your RADIUS server in your Security Policy Editor. Nothing special here. You will then create a ‘Server’ object of type Radius. Specify the host (the workstation object you created previously), the service Radius will run on (this is only available in FireWall-1 4.x), the shared secret you specified on the RADIUS server, and the Version (note that FireWall-1 3.x only supports RADIUS v1.0).
Create the necessary users in the firewall, using authentication type RADIUS. If you have lots of users and would prefer not to have to enter them into the Firewall configuration, create a user with the name generic* and configure it for RADIUS authentication. This will cause all “unknown” users to be passed to the RADIUS server for validation.
You can now create normal authentication rules (e.g. User Auth, Client Auth, Session Auth). However, in some cases, you may also need to add a rule permitting communication between your firewall and your RADIUS server. This rule should be listed before your stealth rule. The rule would look like: