Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
H2-F1
Participant

Checkpoint & DUO 2FA for Clish/Bash/GAIA access

Hello checkmates.

 

I am looking at integrating my Checkpoint Smart-1 and Firewall Cluster with Duo for 2 Factor Authentication. While I have this fully setup and working for the remote access VPN, getting this configured for the Admin side of things appears less popular.

 

I know you can easily configure the device to perform Radius authentication, I have a few questions that have risen from the below configuration

HostName> add aaa radius-servers priority 1 host <RADIUS_HostName_or_IP_Address> port 1812 secret <RADIUS_key> timeout 3
HostName> set aaa radius-servers NAS-IP <IP_Address>
HostName> set aaa radius-servers default-shell /etc/cli.sh
HostName> set aaa radius-servers super-user-uid 0

.

1. Is it a must that you specify the default shell in the command line, can this not be performed as part of the AAA by sending a Vendor Specific attribute (VSA) that the AAA/NPS responds with along with the access permit?

2. Are you able to set the role of each user based on VSA as well? (Admin-role/Monitor-role etc)

3. with regards to the DUO integration, the Checkpoint device will be oblivious to the 2FA part (using push notification) and will wait to receive the permit/deny response from the radius server?

 

Thanks for any insight.

0 Kudos
3 Replies
G_W_Albrecht
Legend Legend
Legend

0 Kudos
H2-F1
Participant

Thanks for the links,

Is there a vendor specific attribute that will also align the user to the right shell (cli/bash)?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

See sk106626: Cannot change CLI level access from BASH to CLISH

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events