In order to make Check Point Connectra NGX R61/R62 work with DualShield RADIUS server, the configuration is largely the same as NG R55, NGX R60. The Connectra system must be configured to communicate via RADIUS with the DualShield RADIUS server and the RADIUS attribute 80 must be ignored.
In order to configure Connectra to communicate with the DualShield RADIUS server you will need to navigate within the Connectra administration portal to “Users and Groups -> Authentication -> RADIUS” and define a new object. In the below example the hostname avalanche at IP 10.133.2.165 is the DualShield RADIUS Server.
Next, define a generic* user to use the newly configured RADIUS server entry
Once this has been setup you will need to force the Connectra system to ignore RADIUS attribute 80. In order to do this, login to the Connectra command line (via console, ssh etc.), enter ‘Expert’ mode and perform the following steps:
- Issue 'cpstop'
- Make a backup copy of $FWDIR/conf/objects_5_0.C, i.e.
cp $FWDIR/conf/objects_5_0.C /objects_backup.C - Edit $FWDIR/conf/objects_5_0.C (using vi, etc.)
- Search for the following
:radius_groups_attr (25)
:radius_retrant_num (2)
Change it to
:radius_groups_attr (25)
:radius_ignore (80)
:radius_retrant_num (2)
:radius_send_framed (disabled) - Save the file and issue 'cpstart'
Be very careful about syntax, extraneous characters etc. when editing objects_5_0.C – if you are uncertain about how to edit this file please contact Check Point Technical services for assistance.