Scribd
Upload
11 views2 pages

Checkpoint architecture & design

The document outlines the setup and management of centralized authentication using Active Directory and RADIUS in an IT environment, focusing on pfSense as a RADIUS client. It details the tools involved, including Active Directory, Network Policy Server, and pfSense, along with step-by-step instructions for registering the RADIUS client, configuring network policies, and establishing role-based permissions. The process aims to ensure secure and efficient authentication for administrative users managing the pfSense firewall.

Uploaded by

Belkacem Ait Hellal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views2 pages

Checkpoint architecture & design

The document outlines the setup and management of centralized authentication using Active Directory and RADIUS in an IT environment, focusing on pfSense as a RADIUS client. It details the tools involved, including Active Directory, Network Policy Server, and pfSense, along with step-by-step instructions for registering the RADIUS client, configuring network policies, and establishing role-based permissions. The process aims to ensure secure and efficient authentication for administrative users managing the pfSense firewall.

Uploaded by

Belkacem Ait Hellal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Checkpoint Architecture & Design

Report: Managing Centralized Authentication Using Active Directory and RADIUS

1. Purpose of the Video

The video demonstrates the setup and management of centralized authentication in an IT


environment. The primary goal is to use Active Directory (AD) on DC1 as the central authentication
server while also functioning as a RADIUS server. In this setup:

• The pfSense security appliance, hosted on UTM1, acts as a RADIUS client.

• RADIUS is configured to authenticate administrative users managing the pfSense firewall


rather than remote access VPN or wireless users.
This centralized approach ensures secure, efficient, and role-based authentication across the
network.

2. Tools Used

The video highlights the following tools and components:

1. Active Directory (AD): A directory service used for managing user accounts and
authentication.

2. Network Policy Server (NPS): A feature in Windows Server that implements the RADIUS role.

3. pfSense: An open-source firewall and router appliance used as a RADIUS client.

4. MS-CHAPv2: A widely used authentication protocol for secure transmission of credentials.

3. Steps for Managing Centralized Authentication

A. Register RADIUS Client

1. On the DC1 VM, open the Network Policy Server from the Server Manager tools menu.

2. Navigate to RADIUS Clients and Servers > RADIUS Clients, then add a new RADIUS client.

3. Configure the following settings:

o Friendly Name: pfsense.corp.515support.com

o Address: 10.1.0.254

o Shared Secret: Generate and copy the secret.

4. Save the configuration.


B. Configure Network Policy

1. Expand Policies > Network Policies and create a new policy named:
pfSense Network Security Appliance Administration.

2. Add the condition: Windows Groups, then link the localadmin group from AD.

3. Set Access Permission to "Access granted."

4. Configure authentication methods (ensure MS-CHAPv2 is selected).

5. Add the Class RADIUS attribute and assign the value T LocalAdmin. This attribute
communicates group membership to pfSense.

6. Save the policy.

C. Configure pfSense as a RADIUS Client

1. Open http://10.1.0.254 in the browser on DC1 to access the pfSense web interface.

2. Navigate to System > User Manager > Authentication Servers, then add a new server:

o Descriptive Name: 515support AD

o Type: RADIUS

o Hostname or IP Address: 10.1.0.1

o Shared Secret: Paste the previously generated secret.

3. Save the configuration.

D. Configure Role-Based Permissions

1. In the pfSense interface, go to the Groups tab and add a new group:

o Group Name: LocalAdmin

2. Edit the group to assign privileges:

o Select WebCfg-Dashboard (all) down to WebCfg-Status: UPnP Status.

o Exclude unnecessary permissions like WebCfg-pfSense wizard subsystem.

3. Save the group configuration.

4. Under Settings, select the authentication server 515support AD and save.

E. Verify Configuration

1. Log out of pfSense and attempt to log in using a user from the LocalAdmin security group.

2. Confirm successful authentication and proper role-based permissions.

You might also like