I am looking at integrating my Checkpoint Smart-1 and Firewall Cluster with Duo for 2 Factor Authentication. While I have this fully setup and working for the remote access VPN, getting this configured for the Admin side of things appears less popular.
I know you can easily configure the device to perform Radius authentication, I have a few questions that have risen from the below configuration
HostName> add aaa radius-servers priority 1 host <RADIUS_HostName_or_IP_Address> port 1812 secret <RADIUS_key> timeout 3
HostName> set aaa radius-servers NAS-IP <IP_Address>
HostName> set aaa radius-servers default-shell /etc/cli.sh
HostName> set aaa radius-servers super-user-uid 0
1. Is it a must that you specify the default shell in the command line, can this not be performed as part of the AAA by sending a Vendor Specific attribute (VSA) that the AAA/NPS responds with along with the access permit?
2. Are you able to set the role of each user based on VSA as well? (Admin-role/Monitor-role etc)
3. with regards to the DUO integration, the Checkpoint device will be oblivious to the 2FA part (using push notification) and will wait to receive the permit/deny response from the radius server?
Thanks for any insight.