Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Ejaife
Participant

How can I limit local authentication when using RADIUS?

Jump to solution

Hello,

We have are secure gateways integrated with ISE and Active Directory via RADIUS. We have it so that either local users on the Check Point gateways or Active Directory users can authenticate to the firewall. We'd like to limit this, so that when RADIUS is working, only the Active Directory users can authenticate to the firewall, and when RADIUS fails, the local user can authenticate. What is the best way to do this? I vaguely recall PAM may have to be reconfigured on the Secure Gateways, if memory serves me correctly.

0 Kudos
1 Solution

Accepted Solutions
John_Ejaife
Participant

Ah - I found it. The answer is in sk105320.

 

  1. Log-in to Expert mode.
  2. Edit the file /etc/pam.d/system-auth :
    [Expert@hostname:0]#vi  /etc/pam.d/system-auth
     
  3. replace the following line:

    auth [success=done new_authtok_reqd=done auth_err=ignore perm_denied=ignore conv_err=die default=ignore] pam_radius_auth.so


    with:

    auth [success=done new_authtok_reqd=done auth_err=die perm_denied=die conv_err=die default=ignore] pam_radius_auth.so


    Note that 'auth_err' and 'perm_denied' are both changed to 'die'.
  4. Save the file and exit.

View solution in original post

0 Kudos
2 Replies
John_Ejaife
Participant

Ah - I found it. The answer is in sk105320.

 

  1. Log-in to Expert mode.
  2. Edit the file /etc/pam.d/system-auth :
    [Expert@hostname:0]#vi  /etc/pam.d/system-auth
     
  3. replace the following line:

    auth [success=done new_authtok_reqd=done auth_err=ignore perm_denied=ignore conv_err=die default=ignore] pam_radius_auth.so


    with:

    auth [success=done new_authtok_reqd=done auth_err=die perm_denied=die conv_err=die default=ignore] pam_radius_auth.so


    Note that 'auth_err' and 'perm_denied' are both changed to 'die'.
  4. Save the file and exit.

View solution in original post

0 Kudos
emreturkmenler
Contributor

Hi,

It works on the gateway but It didn't work on the management server as I did the same, is there any other workaround or is it not possible?

 

Thank you

0 Kudos