Configure Internet Authentication Service with Checkpoint Firewall

This is a quick guide to setting up VPN access using Internet Authentication Service with a Checkpoint Firewall.

Install Internet Authentication Service

If you have not installed Internet Authentication Service (IAS)  then you will need to install it by going to Add and Remove Programs, Click on Add/Remove Windows Components – Networking Services – Details – - Select Internet Authentication Service Then Click Next.

Once installed you will need to configure your Checkpoint Firewall and IAS.

Configure the Checkpoint Firewall

1. Launch Checkpoint SmartDashboard.
2. Go to Network Objects – Select Nodes – Right Click select New Node then select HOST – Give it the name and IP address of your IAS Server and then Click OK
3. Go to Services – Click on UDP – Right Click and Select UDP – Give it a Name ‘RADIUS_IAS’ – Add Comment – In Port Field type 1812 – Click OK.
4. Create new Firewall traffic rule:                                                                                                                                                                                                                Source = Checkpoint Firewall                                                                                                                                                                                                              Destination = IAS Server (The Host that you created in step 1)                                                                                                                                                    Service = RADIUS_IAS (Service you created in Step 2)                                                                                                                                                                  Action = Accept                                                                                                                                                                                                                                              Comment = Radius authentication for VPN access
5. Go to Servers and OPSEC Application – Servers – RADIUS – Right Click and Select New RADIUS – Name = RADIUS_Srv – Host = Your IAS Server (The Host that you created in step 1) – Service = RADIUS_IAS (Service you created in Step 2) Shared Secret = Enter a password and make sure you remember this as you will need this later on. – Version = RADIUS Ver. 1.0 Compatible – Protocol = PAP – Priority = 1.

Configure Internet Authentication Service

1. Launch IAS
2. Right Click on RADIUS Clients and Slect New RADIUS Client then type in Friendly Name ‘Checkpoint’ and in the Address type in IP of your Checkpoint Firewall.  Leave Client-Vendor as RADIUS Standard and in the Shared Secret type in the Shared secret that you chose earlier. Click Finish
3. Right Click on Remote Access Policies and Select New Remote Access Policy then click Next and type in the Policy Name ‘VPN Access’ then Click Next.
4. Select VPN and then click Next
5. Click Add and Add the Active Directory Group that you have created for VPN Users
6. Leave Microsoft Encryption Authentication Version 2 (MS-CHAP) ticked and Click Next.
7. Only tick Strongest Encryption then click Next.
8. Click Finish.
9. Now double click on the Policy that you just created  ‘VPN Access’ and click on Edit Profile.
10. Now click on Authentication Tab, now untick Microsoft Encryption Authentication Version 2 (MS-CHAP) and tick Unencrypted authentication (PAP, SPAP) and click OK.
11. Now Right Click on Internet Authentication Service and Register Server in Active Directory
12. Right Click on Internet Authentication Service Start Service