The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, Health, and More!

FireWall-1 FAQ: Integration with Radius

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

FireWall-1 3.0 integrates with any Radius 1.x compliant server using simple password authentication. FireWall-1 4.0 will work with any 1.x or 2.x server. I have personally verified that it functions with FireWall-1 3.0b and Livingston’s Radius Server v1.16.1 running on Red Hat Linux 5.1.

There are a few steps:

Add Firewall to RADIUS Server’s clients File

The clients file (in /etc/raddb on Unix stations) contains entries that are of the format

    radius-client     shared-secret

The ‘radius-client’ in this case is your firewall. Note that this should reflect the hostname your firewall resolves as on your RADIUS server. You may need to do some debugging to get the right hostname here.

The ‘shared-secret’ is a password that both the RADIUS client (your firewall) and the RADIUS server will use for encryption when communicating with each other. In FireWall-1 3.x, I’ve heard that shared secrets beginning with a number or the letter ‘f’ have problems. I’m not sure if FireWall-1 4.x has these problems.

Add Users in RADIUS Server’s users File

You may not need to do this if you already have existing Radius users in your database file (typically in /etc/raddb on Unix). If you are setting up “new” users, your user entries would look something like this:

    phoneboy    Password = "abc123", Expiration = "Dec 31 1999"
                User-Service-Type = Login-User

Note that there are other entries one can put in the users file (options for PPP, etc) are not used by FireWall-1. The only ones that FireWall-1 cares about are the ones listed above. Note if you install a Radius server on a Unix or NT machine and you want to use the existing users configured in the OS for authentication, make sure you have an entry in the users file that looks like this:

    DEFAULT   Auth-Type = System, User-Service-Type = Login-User

Create RADIUS Service (Optional)

In FireWall-1 4.x, you can use Radius on a non-standard port. You will need to create the Radius service as appropriate. The default port for radius is UDP 1645.

Create RADIUS Server Object

You will need to create a workstation object for your RADIUS server in your Security Policy Editor. Nothing special here. You will then create a ‘Server’ object of type Radius. Specify the host (the workstation object you created previously), the service Radius will run on (this is only available in FireWall-1 4.x), the shared secret you specified on the RADIUS server, and the Version (note that FireWall-1 3.x only supports RADIUS v1.0).

Create RADIUS Users on the Firewall

Create the necessary users in the firewall, using authentication type RADIUS. If you have lots of users and would prefer not to have to enter them into the Firewall configuration, create a user with the name generic* and configure it for RADIUS authentication. This will cause all “unknown” users to be passed to the RADIUS server for validation.

Create Rules for Authentication

You can now create normal authentication rules (e.g. User Auth, Client Auth, Session Auth). However, in some cases, you may also need to add a rule permitting communication between your firewall and your RADIUS server. This rule should be listed before your stealth rule. The rule would look like:

Source Destination Service Action Install-On
Firewall RADIUS-Server radius Accept Src

#Cybersecurity Evangelist, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.