This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Keld_Norman
Contributor
‎2018-11-15 03:07 AM

Check Point Radius Access to SmartConsole with no local user

Hi CheckMates,

I am looking in to Radius authentication of an AD user to allow login to SmartDashboard

Is it possible to give an AD user access to SmartDashboard using Radius without having to add it first in the -> manage & settings -> Permissions & administrators -> administrators ?

My wish is to have a group in Active Directory that I can add an AD user to and then he/she can login to the SmartDashboard.

If that is not possible and i HAVE TO use a local user - then I want to associate one checkpoint local user - it could be a user called radius_admin - to all users that try to login to the smart dashboard. If the user is approved in AD/Radius then the login is allowed - can this be done ? 

users

Best regards

Keld Norman

0 Kudos
5 Replies
Nüüül
Advisor
‎2018-11-15 09:30 AM

Hi,

Two years ago I tried similar thing on 77.20 and ended up with creating the users and authorize them with the built in groups. Password came from RADIUS

regarding this:

Security Management R80.20 Administration Guide 

it did not change. neither for TACACS or SecureID

Keld_Norman
Contributor
‎2018-11-16 12:11 AM
In response to Nüüül

Thanks Daniel Meier Smiley Happy 

Was it for administrators to access the SmartDashboard you made that setup ? or for VPN or other services for users ?

By the way, a note about radius for SSH and WebGui access:

    I found that the setup in the webgui only supports PAP by default (also known as rfc1334) where credentials are transmitted from the Radius Client in plain text or rather .. it  XORs the password with an MD5 hash based on the shared secret and transmit that to the radius server.

(So I did not configure that to avoid creating a security risk and failing compliance checks.)

0 Kudos
Nüüül
Advisor
‎2018-11-16 08:58 AM
In response to Keld_Norman

Hi,

I did it for authenticating Administrators. Ended up with SafeNet Token Authentication Smiley Happy

For VPN I either ended up with LDAP only, or using a Cisco ASA, as it is more flexible

Cheers

Daniel

0 Kudos
Darren_Fine
Collaborator
‎2020-05-19 01:27 AM
In response to Nüüül

Hi guys,

 

Was researching using radius for Smartconsole logins and the security risk thereof.

Like you guys mentioned the PAP protocol seems to allow for the md5 hash to be cracked somewhat easily which would reveal the password so its a good idea to use a dynamic one time password.

So if that is the case - is it better to only auth with the one time password  ?

(I was originally going to use a <userstore password>+<1 time token> combination .. but if this can be viewed then surely its safer to just use the <1 time token> cause it wont be valid anymore) 

I hope the above makes sense 🙂

 

Regards

 

PS ..<the above Smartconsole issue doesnt seem to be a problem with vpns since the 1st factor is via the user store and the second auth via radius  can be just the 1 time token password - and this wont matter if it is decrypted since it wont be valid again>

 

0 Kudos
Alon_Alapi
Employee
Employee
‎2020-05-19 07:41 AM

Hi,

I have a customer RFE that will probably meet you requirements,

Please contact me offline (alonal@checkpoint.com) and we will take it from there.

 

Thanks,

Alon

0 Kudos
Labels