- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Checkpoint & DUO 2FA for Clish/Bash/GAIA access
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Checkpoint & DUO 2FA for Clish/Bash/GAIA access
Hello checkmates.
I am looking at integrating my Checkpoint Smart-1 and Firewall Cluster with Duo for 2 Factor Authentication. While I have this fully setup and working for the remote access VPN, getting this configured for the Admin side of things appears less popular.
I know you can easily configure the device to perform Radius authentication, I have a few questions that have risen from the below configuration
HostName> add aaa radius-servers priority 1 host <RADIUS_HostName_or_IP_Address> port 1812 secret <RADIUS_key> timeout 3 HostName> set aaa radius-servers NAS-IP <IP_Address> HostName> set aaa radius-servers default-shell /etc/cli.sh HostName> set aaa radius-servers super-user-uid 0
.
1. Is it a must that you specify the default shell in the command line, can this not be performed as part of the AAA by sending a Vendor Specific attribute (VSA) that the AAA/NPS responds with along with the access permit?
2. Are you able to set the role of each user based on VSA as well? (Admin-role/Monitor-role etc)
3. with regards to the DUO integration, the Checkpoint device will be oblivious to the 2FA part (using push notification) and will wait to receive the permit/deny response from the radius server?
Thanks for any insight.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sk72940: How to configure RADIUS server for authentication on Gaia OS
sk105575: How to configure RADIUS authentication between Gaia OS and Microsoft Windows Server 2008
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the links,
Is there a vendor specific attribute that will also align the user to the right shell (cli/bash)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See sk106626: Cannot change CLI level access from BASH to CLISH