This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Ejaife
Participant
‎2020-01-15 08:50 AM
Jump to solution

How can I limit local authentication when using RADIUS?

Hello,

We have are secure gateways integrated with ISE and Active Directory via RADIUS. We have it so that either local users on the Check Point gateways or Active Directory users can authenticate to the firewall. We'd like to limit this, so that when RADIUS is working, only the Active Directory users can authenticate to the firewall, and when RADIUS fails, the local user can authenticate. What is the best way to do this? I vaguely recall PAM may have to be reconfigured on the Secure Gateways, if memory serves me correctly.

0 Kudos
1 Solution

Accepted Solutions
John_Ejaife
Participant
‎2020-01-15 10:55 AM
Jump to solution

Ah - I found it. The answer is in sk105320.

 

  1. Log-in to Expert mode.
  2. Edit the file /etc/pam.d/system-auth :
    [Expert@hostname:0]#vi  /etc/pam.d/system-auth
     
  3. replace the following line:

    auth [success=done new_authtok_reqd=done auth_err=ignore perm_denied=ignore conv_err=die default=ignore] pam_radius_auth.so

    with:

    auth [success=done new_authtok_reqd=done auth_err=die perm_denied=die conv_err=die default=ignore] pam_radius_auth.so

    Note that 'auth_err' and 'perm_denied' are both changed to 'die'.
  4. Save the file and exit.

View solution in original post

0 Kudos
2 Replies
John_Ejaife
Participant
‎2020-01-15 10:55 AM
Jump to solution

Ah - I found it. The answer is in sk105320.

 

  1. Log-in to Expert mode.
  2. Edit the file /etc/pam.d/system-auth :
    [Expert@hostname:0]#vi  /etc/pam.d/system-auth
     
  3. replace the following line:

    auth [success=done new_authtok_reqd=done auth_err=ignore perm_denied=ignore conv_err=die default=ignore] pam_radius_auth.so

    with:

    auth [success=done new_authtok_reqd=done auth_err=die perm_denied=die conv_err=die default=ignore] pam_radius_auth.so

    Note that 'auth_err' and 'perm_denied' are both changed to 'die'.
  4. Save the file and exit.
0 Kudos
emreturkmenler
Contributor
‎2020-05-25 11:54 AM
In response to John_Ejaife
Jump to solution

Hi,

It works on the gateway but It didn't work on the management server as I did the same, is there any other workaround or is it not possible?

 

Thank you

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events