Hi, I am configuring a SecuRemote in a fw1 NG fp2 using a MS Radius (IAS) of windows 2000 to authenticate the users. My problem is that between the checkpoint and the MS radius only "pap" authentication is working. And this is bad because pap is cleartext. Anybody know how to change the authentication from "pap" to "chap" between checkpoint and MS Radius.
I have followed this steps to configure the firewall
- I am using tradiditional Mode
- Create a object for MS_Radius;
- Create a "Server" "Radius" and choose the object "MS_Radius"
- Radius server is 2.0 compatible;
- define a shared key
- Create a user group called "Remote_Acces_VPN"
- Create a "generic*" and make him a member of "Remote_Acces_VPN"
- Selected radius authentication to this user;
- Configure in the MS Radius, checkpoint internal interface like a Radius client and use the same shared key
- Create a user in the windows with dial-in permission
If you are concern so much with security, I strongly suggest that you use TACACS+ instead. TACACS+ separates the authentication and authorization whereas RADIUS does not. Having said, I did get SecureRemote to work with FreeRadius via mschap and Cisco Freeware TACACS+. I am running freeware radius and freeware TACACS+ on a Pentium 100Mhz/32MB RAM with RedHat Linux version 7.1. Contact me offline if you are interested.
