User's Manual Part 3
Using RADIUS Authentication
372 Check Point Safe@Office User Guide
Remote Access VPN Clients (a Check Point SecureClient, Check Point
SecuRemote, or another Embedded NGX appliance).
To set up remote VPN access for a user
1. Enable your VPN Server, using the procedure Setting Up Your Safe@Office
Appliance as a VPN Server on page 309.
2. Add or edit the user, using the procedure Adding and Editing Users on page
365.
You must select the VPN Remote Access option.
Using RADIUS Authentication
You can use Remote Authentication Dial-In User Service (RADIUS) to
authenticate both Safe@Office appliance users and Remote Access VPN Clients
trying to connect to the Safe@Office appliance.
Note: When RADIUS authentication is in use, Remote Access VPN Clients must
have a certificate.
When a user tries to log on to the Safe@Office Portal, the Safe@Office appliance
sends the entered user name and password to the RADIUS server. The server then
checks whether the RADIUS database contains a matching user name and
password pair. If so, then the user is logged on.
By default, all RADIUS-authenticated users are assigned the set of permissions
specified in the Safe@Office Portal's RADIUS page. However, you can configure
the RADIUS server to pass the Safe@Office appliance a specific set of permissions
to grant the authenticated user, instead of these default permissions. This is done by
configuring the RADIUS Vendor-Specific Attribute (VSA) with a set of attributes
containing permission information for specific users. If the VSA is configured for a
user, then the RADIUS server passes the VSA to the Embedded NGX gateway as
part of the response to the authentication request, and the gateway assigns the user
permissions as specified in the VSA. If the VSA is not returned by the RADIUS