- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi CheckMates,
I am looking in to Radius authentication of an AD user to allow login to SmartDashboard
Is it possible to give an AD user access to SmartDashboard using Radius without having to add it first in the -> manage & settings -> Permissions & administrators -> administrators ?
My wish is to have a group in Active Directory that I can add an AD user to and then he/she can login to the SmartDashboard.
If that is not possible and i HAVE TO use a local user - then I want to associate one checkpoint local user - it could be a user called radius_admin - to all users that try to login to the smart dashboard. If the user is approved in AD/Radius then the login is allowed - can this be done ?
Best regards
Keld Norman
Hi,
Two years ago I tried similar thing on 77.20 and ended up with creating the users and authorize them with the built in groups. Password came from RADIUS
regarding this:
Security Management R80.20 Administration Guide
it did not change. neither for TACACS or SecureID
Thanks Daniel Meier
Was it for administrators to access the SmartDashboard you made that setup ? or for VPN or other services for users ?
By the way, a note about radius for SSH and WebGui access:
I found that the setup in the webgui only supports PAP by default (also known as rfc1334) where credentials are transmitted from the Radius Client in plain text or rather .. it XORs the password with an MD5 hash based on the shared secret and transmit that to the radius server.
(So I did not configure that to avoid creating a security risk and failing compliance checks.)
Hi,
I did it for authenticating Administrators. Ended up with SafeNet Token Authentication
For VPN I either ended up with LDAP only, or using a Cisco ASA, as it is more flexible
Cheers
Daniel
Hi guys,
Was researching using radius for Smartconsole logins and the security risk thereof.
Like you guys mentioned the PAP protocol seems to allow for the md5 hash to be cracked somewhat easily which would reveal the password so its a good idea to use a dynamic one time password.
So if that is the case - is it better to only auth with the one time password ?
(I was originally going to use a <userstore password>+<1 time token> combination .. but if this can be viewed then surely its safer to just use the <1 time token> cause it wont be valid anymore)
I hope the above makes sense 🙂
Regards
PS ..<the above Smartconsole issue doesnt seem to be a problem with vpns since the 1st factor is via the user store and the second auth via radius can be just the 1 time token password - and this wont matter if it is decrypted since it wont be valid again>
Hi,
I have a customer RFE that will probably meet you requirements,
Please contact me offline (alonal@checkpoint.com) and we will take it from there.
Thanks,
Alon
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY