This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sanjay_S
Advisor
‎2019-03-15 01:48 AM

Checkpoint Firewall Radius Authentication

We were using local authentication to login to firewall till date. Now i have configured the Radius server for authentication. I am now able to authenticate but getting the below error for any of the commands i type in.

> cphaprob stat
/tmp/.CPprofile.sh: line 1: /opt/CPshrd-R80/scripts/cpprofile_functions.sh: Permission denied

Checked the tmp permission is already 1777 when checked with admin account.

Please let me know how to get this resolved. All radius users should have access as admin account which is currently a local account.

Let me know if you need any more details on this.

0 Kudos
12 Replies
Jerry
Mentor
Mentor
‎2019-03-15 01:53 AM

in order to you CLI with RADIUS users you don't do RADIUS in SmartDash making the OPSEC RADIUS Auth. scheme.
for local gateway (I presume HA Cluster) and clish/bash users RADIUS need to be configured in a slightly different matter, have you search this Community with a query "RADIUS CLISH"? Try 🙂 There is one post called "Expert mode"
Jerry
_Val_
Admin
Admin
‎2019-03-15 03:16 AM

It seems you are calling cphaprob stat form clish and not bash. try defining bash as a default shell, it will help to get to the root of the issue

Jerry
Mentor
Mentor
‎2019-03-15 03:40 AM
In response to _Val_

Val,

cphaprob stat works also from CLISH!
Jerry
0 Kudos
Jerry
Mentor
Mentor
‎2019-03-15 03:41 AM
In response to _Val_

[Expert@FW:0]# clish
FW> cphaprob stat

Cluster Mode: High Availability (Active Up) with IGMP Membership

Number Unique Address Assigned Load State

1 (local) 1.1.1.1 100% Active
2 1.1.1.2 0% Standby

Local member is in current state since Thu Jan 31 11:57:41 2019
Jerry
0 Kudos
Martin_Valenta
Advisor
‎2019-03-15 03:48 AM

Which vendor you use for Radius authentication? 

In our case we use Gemalto and it required to create local users on gateway in order to provide really admin level access.

0 Kudos
Sanjay_S
Advisor
‎2019-03-15 04:44 AM
In response to Martin_Valenta

Hi Martin,
It is a free Radius we are using. So if we create local users then the radius authentication is of no use right?
0 Kudos
Martin_Valenta
Advisor
‎2019-03-15 04:45 AM
In response to Sanjay_S

For FreeRadius you should follow this SK

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Sanjay_S
Advisor
‎2019-03-15 04:54 AM
In response to Martin_Valenta

But Martin,
I am able to authenticate with Radius now. Actual problem is few of the commands are not working for example cphaprob stat.
0 Kudos
Martin_Valenta
Advisor
‎2019-03-15 05:09 AM
In response to Sanjay_S

One thing is to get authenticated and other thing is to be authorized to run certain commands, that's why it's AAA( authenticate,authorize,accounting)

0 Kudos
Sanjay_S
Advisor
‎2019-03-15 05:27 AM
In response to Martin_Valenta

Sure Martin.
Will try that and get back to you guys if any issues.
0 Kudos
Jerry
Mentor
Mentor
‎2019-03-15 04:47 AM
In response to Sanjay_S

not really Sanjay, it is all down to the configuration, please follow provided sk (from Martin) as it is explaining what it means "sequence of auth" in more or less sort of "AAA model" for Checkpoint 🙂
Jerry
0 Kudos
Sanjay_S
Advisor
‎2019-03-15 05:27 AM
In response to Jerry

Sure Jerry.
Will try that and get back to you guys if any issues.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events