topic Re: Checkpoint Firewall Radius Authentication in General Topics

Checkpoint Firewall Radius Authentication

Sanjay_S — Fri, 15 Mar 2019 08:48:39 GMT

We were using local authentication to login to firewall till date. Now i have configured the Radius server for authentication. I am now able to authenticate but getting the below error for any of the commands i type in.

> cphaprob stat
/tmp/.CPprofile.sh: line 1: /opt/CPshrd-R80/scripts/cpprofile_functions.sh: Permission denied

Checked the tmp permission is already 1777 when checked with admin account.

Please let me know how to get this resolved. All radius users should have access as admin account which is currently a local account.

Let me know if you need any more details on this.

Re: Checkpoint Firewall Radius Authentication

Jerry — Fri, 15 Mar 2019 08:53:51 GMT

in order to you CLI with RADIUS users you don't do RADIUS in SmartDash making the OPSEC RADIUS Auth. scheme.
for local gateway (I presume HA Cluster) and clish/bash users RADIUS need to be configured in a slightly different matter, have you search this Community with a query "RADIUS CLISH"? Try 🙂 There is one post called "Expert mode"

Re: Checkpoint Firewall Radius Authentication

_Val_ — Fri, 15 Mar 2019 10:16:25 GMT

It seems you are calling cphaprob stat form clish and not bash. try defining bash as a default shell, it will help to get to the root of the issue

Re: Checkpoint Firewall Radius Authentication

Jerry — Fri, 15 Mar 2019 10:40:35 GMT

Val,

cphaprob stat works also from CLISH!

Re: Checkpoint Firewall Radius Authentication

Jerry — Fri, 15 Mar 2019 10:41:57 GMT

[Expert@FW:0]# clish
FW> cphaprob stat

Cluster Mode: High Availability (Active Up) with IGMP Membership

Number Unique Address Assigned Load State

1 (local) 1.1.1.1 100% Active
2 1.1.1.2 0% Standby

Local member is in current state since Thu Jan 31 11:57:41 2019

Re: Checkpoint Firewall Radius Authentication

Martin_Valenta — Fri, 15 Mar 2019 10:48:12 GMT

Which vendor you use for Radius authentication?

In our case we use Gemalto and it required to create local users on gateway in order to provide really admin level access.

Re: Checkpoint Firewall Radius Authentication

Sanjay_S — Fri, 15 Mar 2019 11:44:15 GMT

Hi Martin,
It is a free Radius we are using. So if we create local users then the radius authentication is of no use right?

Re: Checkpoint Firewall Radius Authentication

Martin_Valenta — Fri, 15 Mar 2019 11:45:21 GMT

For FreeRadius you should follow this SK

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk72940&partition=General&product=Security

Re: Checkpoint Firewall Radius Authentication

Jerry — Fri, 15 Mar 2019 11:47:09 GMT

not really Sanjay, it is all down to the configuration, please follow provided sk (from Martin) as it is explaining what it means "sequence of auth" in more or less sort of "AAA model" for Checkpoint 🙂

Re: Checkpoint Firewall Radius Authentication

Sanjay_S — Fri, 15 Mar 2019 11:54:12 GMT

But Martin,
I am able to authenticate with Radius now. Actual problem is few of the commands are not working for example cphaprob stat.

Re: Checkpoint Firewall Radius Authentication

Martin_Valenta — Fri, 15 Mar 2019 12:09:31 GMT

One thing is to get authenticated and other thing is to be authorized to run certain commands, that's why it's AAA( authenticate,authorize,accounting)

Re: Checkpoint Firewall Radius Authentication

Sanjay_S — Fri, 15 Mar 2019 12:27:22 GMT

Sure Jerry.
Will try that and get back to you guys if any issues.

Re: Checkpoint Firewall Radius Authentication

Sanjay_S — Fri, 15 Mar 2019 12:27:34 GMT

Sure Martin.
Will try that and get back to you guys if any issues.