This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Evan_Fisher
Participant
‎2017-12-21 01:42 PM

Authentication server failback

If we decide to setup RADIUS or TACACS authentication, does it fail to the local database if the servers are unavailable? Are local accounts still usable when auth servers are configured?

Thanks!

Evan

0 Kudos
11 Replies
PhoneBoy
Admin
Admin
‎2017-12-21 04:06 PM

To clarify, are you talking about in Gaia or when authenticating with SmartConsole/SmartDashboard?

For Gaia, it depends on how you've configured AAA.

For SmartConsole, a user can only authenticate with the method configured for that user. 

0 Kudos
Evan_Fisher
Participant
‎2017-12-21 04:14 PM

For both Gaia and smartconsole


0 Kudos
PhoneBoy
Admin
Admin
‎2017-12-21 05:04 PM
In response to Evan_Fisher

Like I said, a given SmartConsole user can only be configured to use one authentication mechanism.

If that method is unavailable for some reason, that user can't log in.

Local users (with a local password) will always be available in that case.

When RADIUS or TACACS+ is configured, these have priority over local users.

If these servers aren't available, local authentication should be available.

What I'm not 100% sure about is whether or not local users are available even when RADIUS/TACACS+ servers are configured and working. 

0 Kudos
Norbert_Bohusch
Advisor
‎2017-12-22 04:35 AM
In response to PhoneBoy

I am not 100% sure my assumptions are correct, but this is what I have expirienced 🙂 So please correct me if wrong!

@SmartConsole R80.10 with multiple login options (clients supportet see sk111583):

user base can be configured in the login option (automatic might be same as for older versions, but have not testet yet)

@SmartConsole R77 or legacy clients with R80.10:

1. local users are always taken first -> they get authenticated according to the setting in the user propiertes for authentication

2. LDAP is searched as second stage -> authentication happens based on setting in account unit

3. external user profiles -> authentication and userbase are taken from the authentication configured in the external user profile

@Gaia:

Order is as follows:

- users with pw are authenticated locally

- users wihout pw (* as password-hash) are authenticated according to aaa but settings like shell are taken from local config

- non-existing users are also authenticated according to aaa

0 Kudos
Evan_Fisher
Participant
‎2017-12-22 11:27 AM

So I got TACACS+ auth working on Gaia (successful log entry on my auth server), but it still is not logging me in. Is there a particular dictionary, av pair, or role that I need to send back to successfully login after successful server auth?

0 Kudos
PhoneBoy
Admin
Admin
‎2017-12-22 11:45 AM
In response to Evan_Fisher

Are you following the steps in How to configure Gaia OS to work with a TACACS+ server ?

The roles you need to have defined are:

  • TACP-0 for Read-only Users
  • TACP-15 for Read-write Users
0 Kudos
Evan_Fisher
Participant
‎2017-12-22 12:11 PM

Yes I followed the guide.

I'm just curious what the shell attribute is called for me to send back the role. For example, when I login to a Cisco Nexus device, I send back the cisco-av-pair shell:roles="network-admin" with privilege level 15.


0 Kudos
PhoneBoy
Admin
Admin
‎2017-12-22 12:20 PM
In response to Evan_Fisher

I'm not familiar with the "shell attribute."

That said, perhaps this SK may help as it shows how to configure Cisco ACS 5 with screenshots: Best Practices - Configuring Cisco ACS 5 server for TACACS+ authentication with Gaia OS 

Also this one has an example configuration with the TACACS+ server you can get on Ubuntu in the SK I linked earlier.

0 Kudos
Sal_Previtera
Collaborator
‎2017-12-28 02:04 PM

I have it working with Cisco ISE (similar to ACS), we (me and the team) are able to get logged in CLI, Web GUI and SmartDashboards to all of our Checkpoint servers, we are still R77.30 (latest GA HFAs)...not R80.x for a while yet.

In Windows Active directory , we created a group called Firewalls-admins, Cisco ISE checks against that AD group upon successfully authentication then authorized if you belong to that AD group...permit access.

As per link supplied by Dameon above, you still need to define the users in GAIA webGUI and Firewall Smartdashboard.

Note, since I have not found anything similar as Shell=15 privilege in GAIA,

after SSH into the CP server... you still need to type expert and enter the Expert password...if you need the expert commands. If Radius servers are down, we still able to access via LOCAL admin as fallback. 

0 Kudos
Evan_Fisher
Participant
‎2017-12-28 02:58 PM

I got it working with our Aruba ClearPass server. I think the part I was missing was the creation of the tacacs roles on the gateway.


0 Kudos
Houssameddine_1
Collaborator
‎2018-02-14 02:29 PM
In response to Evan_Fisher

We are trying to implement authentication and authorization using clear pass for No local users. The problem that we are having that  we can't control the privileges.

Could you please share the config of clearpass to use the privileges?

Thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events