Re: Checkpoint Firewall Radius Authentication

Sanjay_S · ‎2019-03-15

We were using local authentication to login to firewall till date. Now i have configured the Radius server for authentication. I am now able to authenticate but getting the below error for any of the commands i type in.

> cphaprob stat
/tmp/.CPprofile.sh: line 1: /opt/CPshrd-R80/scripts/cpprofile_functions.sh: Permission denied

Checked the tmp permission is already 1777 when checked with admin account.

Please let me know how to get this resolved. All radius users should have access as admin account which is currently a local account.

Let me know if you need any more details on this.

Jerry · ‎2019-03-15

in order to you CLI with RADIUS users you don't do RADIUS in SmartDash making the OPSEC RADIUS Auth. scheme.
for local gateway (I presume HA Cluster) and clish/bash users RADIUS need to be configured in a slightly different matter, have you search this Community with a query "RADIUS CLISH"? Try 🙂 There is one post called "Expert mode"

Jerry

_Val_ · ‎2019-03-15

It seems you are calling cphaprob stat form clish and not bash. try defining bash as a default shell, it will help to get to the root of the issue

Jerry · ‎2019-03-15

Val,

cphaprob stat works also from CLISH!

Jerry

Jerry · ‎2019-03-15

[Expert@FW:0]# clish
FW> cphaprob stat

Cluster Mode: High Availability (Active Up) with IGMP Membership

Number Unique Address Assigned Load State

1 (local) 1.1.1.1 100% Active
2 1.1.1.2 0% Standby

Local member is in current state since Thu Jan 31 11:57:41 2019

Jerry

Martin_Valenta · ‎2019-03-15

Which vendor you use for Radius authentication?

In our case we use Gemalto and it required to create local users on gateway in order to provide really admin level access.

Sanjay_S · ‎2019-03-15

Hi Martin,
It is a free Radius we are using. So if we create local users then the radius authentication is of no use right?

Martin_Valenta · ‎2019-03-15

For FreeRadius you should follow this SK

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Sanjay_S · ‎2019-03-15

But Martin,
I am able to authenticate with Radius now. Actual problem is few of the commands are not working for example cphaprob stat.

Martin_Valenta · ‎2019-03-15

One thing is to get authenticated and other thing is to be authorized to run certain commands, that's why it's AAA( authenticate,authorize,accounting)

Sanjay_S · ‎2019-03-15

Sure Martin.
Will try that and get back to you guys if any issues.

Jerry · ‎2019-03-15

not really Sanjay, it is all down to the configuration, please follow provided sk (from Martin) as it is explaining what it means "sequence of auth" in more or less sort of "AAA model" for Checkpoint 🙂

Jerry

Sanjay_S · ‎2019-03-15

Sure Jerry.
Will try that and get back to you guys if any issues.

Are you a member of CheckMates?

Checkpoint Firewall Radius Authentication