This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
H2-F1
Participant
‎2021-09-09 05:52 AM

Checkpoint & DUO 2FA for Clish/Bash/GAIA access

Hello checkmates.

 

I am looking at integrating my Checkpoint Smart-1 and Firewall Cluster with Duo for 2 Factor Authentication. While I have this fully setup and working for the remote access VPN, getting this configured for the Admin side of things appears less popular.

 

I know you can easily configure the device to perform Radius authentication, I have a few questions that have risen from the below configuration

HostName> add aaa radius-servers priority 1 host <RADIUS_HostName_or_IP_Address> port 1812 secret <RADIUS_key> timeout 3
HostName> set aaa radius-servers NAS-IP <IP_Address>
HostName> set aaa radius-servers default-shell /etc/cli.sh
HostName> set aaa radius-servers super-user-uid 0

.

1. Is it a must that you specify the default shell in the command line, can this not be performed as part of the AAA by sending a Vendor Specific attribute (VSA) that the AAA/NPS responds with along with the access permit?

2. Are you able to set the role of each user based on VSA as well? (Admin-role/Monitor-role etc)

3. with regards to the DUO integration, the Checkpoint device will be oblivious to the 2FA part (using push notification) and will wait to receive the permit/deny response from the radius server?

 

Thanks for any insight.

0 Kudos
3 Replies
G_W_Albrecht
Legend Legend
Legend
‎2021-09-09 06:04 AM

sk72940: How to configure RADIUS server for authentication on Gaia OS

sk105575: How to configure RADIUS authentication between Gaia OS and Microsoft Windows Server 2008

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
H2-F1
Participant
‎2021-09-09 07:27 AM
In response to G_W_Albrecht

Thanks for the links,

Is there a vendor specific attribute that will also align the user to the right shell (cli/bash)?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-09-09 07:34 AM
In response to H2-F1

See sk106626: Cannot change CLI level access from BASH to CLISH

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events