https://community.checkpoint.com/t5/Firewall-and-Security-Management/NPS-Radius-Gaia-admin-authenication/m-p/107638#M14417 <P>I’m not clear what the intended goal is here in terms of permissions.<BR />Do you want the users to be “admin” level or just to be able to run certain commands?</P> Tue, 12 Jan 2021 17:27:50 GMT PhoneBoy 2021-01-12T17:27:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NPS-Radius-Gaia-admin-authenication/m-p/107620#M14413 <LI-SPOILER>&nbsp;</LI-SPOILER><P>Hi,</P><P>&nbsp;</P><P>I am authenticating Gaia web/ssh admins using Windows Server 2019 NPS Radius with MFA.</P><P>It works fine, it is possible to login and the MFA is working as well but i have issues with ssh users, it seems they do not get correct permissions.</P><P>The gaia config is as follows:</P><P>add rba role radius-group-RW domain-type System all-features</P><P>add aaa radius-servers priority 1 host ip_radius1 port 1812 secret ***** timeout 15<BR />add aaa radius-servers priority 2 host ip_radius2 port 1812 secret ***** timeout 15<BR />set aaa radius-servers NAS-IP PUBLIC_IP_OF_GW<BR />set aaa radius-servers default-shell /bin/bash<BR />set aaa radius-servers super-user-uid 96</P><P>Windows NPS Radius configured according to sk72940 (The NPS path, and also tried the Radius which had some different values.)</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="radius.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/10198i2CF1A0C0813D4502/image-size/large?v=v2&amp;px=999" role="button" title="radius.jpg" alt="radius.jpg" /></span></P><P>&nbsp;</P><P>Now to the problem, when admin logins with an AD (Radius) account it is not possible to run cphaprob for example.</P><P>[Expert@gw1:0]# cphaprob<BR />-bash: cphaprob: command not found<BR />[Expert@gw:0]# clish<BR />gw1&gt; cphaprob<BR />/tmp/.CPprofile.sh: line 1: /opt/CPshrd-R80.30/scripts/cpprofile_functions.sh: Permission denied</P><P>gw1&gt; [Expert@gw1:0]#<BR />[Expert@gw1:0]#<BR />[Expert@gw1:0]#<BR />[Expert@gw1:0]# id<BR />uid=96(_nonlocl) gid=100(users) groups=100(users)</P><P>Clish commands seem to run fine.</P><P>Gateway version is R80.30 Take 219</P><P>We have tried many things to overcome this issue, like changing group names etc.</P><P>Also changed the superuser id for radius to 0</P><P>set aaa radius-servers super-user-uid 0</P><P>But it makes no difference.</P><P>If i create an local user on the gw and make it member of same group as the radius users should have then it runs without issues.</P><P>For what i can understand, the radius user does not simply have permissions to run this command, since it is member of group 100 users.</P><P>-rwxr-x--- 1 admin bin 2982 Apr 30 2019 /opt/CPshrd-R80.30/scripts/cpprofile_functions.sh</P><P>The webgui seems to work as it should.</P><P>Would be grateful for any pointers or assistance here, this is a new setup so it has not worked before.</P><P>Thanks, Rickard</P> Tue, 12 Jan 2021 16:01:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NPS-Radius-Gaia-admin-authenication/m-p/107620#M14413 Durin 2021-01-12T16:01:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NPS-Radius-Gaia-admin-authenication/m-p/107638#M14417 <P>I’m not clear what the intended goal is here in terms of permissions.<BR />Do you want the users to be “admin” level or just to be able to run certain commands?</P> Tue, 12 Jan 2021 17:27:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NPS-Radius-Gaia-admin-authenication/m-p/107638#M14417 PhoneBoy 2021-01-12T17:27:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NPS-Radius-Gaia-admin-authenication/m-p/107645#M14419 <P>Hi,</P><P>Yes correct, the users should be able to run all commands. Same as admin user.</P><P>Best Regards,Rickard</P> Tue, 12 Jan 2021 19:00:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NPS-Radius-Gaia-admin-authenication/m-p/107645#M14419 Durin 2021-01-12T19:00:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NPS-Radius-Gaia-admin-authenication/m-p/107670#M14423 <P>This topic is discussed here:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk72940" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk72940</A></P> Wed, 13 Jan 2021 03:40:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NPS-Radius-Gaia-admin-authenication/m-p/107670#M14423 PhoneBoy 2021-01-13T03:40:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NPS-Radius-Gaia-admin-authenication/m-p/107695#M14429 <P>Found the solution here:</P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk105575" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk105575</A></P><P>Thanks for replying</P><P>Br, Rickard</P> Wed, 13 Jan 2021 09:48:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NPS-Radius-Gaia-admin-authenication/m-p/107695#M14429 Durin 2021-01-13T09:48:33Z