Create a Post
Showing results for 
Search instead for 
Did you mean: 

Checkpoint & DUO 2FA for Clish/Bash/GAIA access

Hello checkmates.


I am looking at integrating my Checkpoint Smart-1 and Firewall Cluster with Duo for 2 Factor Authentication. While I have this fully setup and working for the remote access VPN, getting this configured for the Admin side of things appears less popular.


I know you can easily configure the device to perform Radius authentication, I have a few questions that have risen from the below configuration

HostName> add aaa radius-servers priority 1 host <RADIUS_HostName_or_IP_Address> port 1812 secret <RADIUS_key> timeout 3
HostName> set aaa radius-servers NAS-IP <IP_Address>
HostName> set aaa radius-servers default-shell /etc/
HostName> set aaa radius-servers super-user-uid 0


1. Is it a must that you specify the default shell in the command line, can this not be performed as part of the AAA by sending a Vendor Specific attribute (VSA) that the AAA/NPS responds with along with the access permit?

2. Are you able to set the role of each user based on VSA as well? (Admin-role/Monitor-role etc)

3. with regards to the DUO integration, the Checkpoint device will be oblivious to the 2FA part (using push notification) and will wait to receive the permit/deny response from the radius server?


Thanks for any insight.

0 Kudos
3 Replies

Thanks for the links,

Is there a vendor specific attribute that will also align the user to the right shell (cli/bash)?

0 Kudos

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events