This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Leader_Kiongi
Contributor
‎2022-09-02 01:17 AM
Jump to solution

Expert mode for Gaia Embedded for RADIUS users

Hello,

 

We’re now using RADIUS (Windows NPS) to authenticate administrators on our Check Point SMB devices using the commands below:

 

set radius-server priority 1 ipv4-address <Primary_RADIUS_Server_IP_Address> udp-port 1812 shared-secret <shared_key_1> timeout 3

set radius-server priority 2 ipv4-address <Secondary_RADIUS_Server_IP_Address>  udp-port 1812 shared-secret <shared_key_2> timeout 3

set administrators radius-auth enable use-radius-roles true

 

We’d like to login directly in Expert Mode when we login to the firewall. Do you have an idea how we can achieve this ?

 

FYI, I've tried what was discussed in this post: 

Solved: Activate bashUser via script on a Embedded Gaia de... - Check Point CheckMates

 

But this only works for local accounts, NOT for RADIUS users

 

Thanks !

 

Regards,

 

0 Kudos
1 Solution

Accepted Solutions
Leader_Kiongi
Contributor
‎2022-09-04 11:07 PM
In response to PhoneBoy
Jump to solution

Thank you for your feedback @PhoneBoy  I opened a TAC case in the meantime and here's the solution:

1. Perform a manual upgrade to the latest GA firmware for Centrally managed 1500 appliance - R80.20.50
2. Run in expert mode: sqlcmd "update adminRadius set enableDefaultShell ='true'"
3. In WebUI, go to Device->Advanced Settings->Filter for 'Administrators RADIUS authentication - Default Shell' and change the value to 'Bash'.:

 

I've tried it and it works.

View solution in original post

(2)
5 Replies
PhoneBoy
Admin
Admin
‎2022-09-02 05:35 PM
Jump to solution

The "bashUser" script tries to twiddle a database entry for the specified (or current) user to change the shell to bash.
That fails on RADIUS users since there's no db entry (/etc/passwd or otherwise).

Which means: if there is a supported method to allow this, it will be via a different method.
I suspect, however, this is an RFE.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-09-03 06:20 AM
In response to PhoneBoy
Jump to solution

Of course, you can always create an authentication database entry for a given user. Just don't give the user a password, and authentication will fall through to RADIUS. This gives you full control over their UID, GID, home directory, login shell, everything on a per-user basis.

0 Kudos
Leader_Kiongi
Contributor
‎2022-09-04 11:08 PM
In response to Bob_Zimmerman
Jump to solution

Thank you @Bob_Zimmerman for your feedback   I opened a TAC case in the meantime and here's the solution:

1. Perform a manual upgrade to the latest GA firmware for Centrally managed 1500 appliance - R80.20.50
2. Run in expert mode: sqlcmd "update adminRadius set enableDefaultShell ='true'"
3. In WebUI, go to Device->Advanced Settings->Filter for 'Administrators RADIUS authentication - Default Shell' and change the value to 'Bash'.:

 

I've tried it and it works.

0 Kudos
Leader_Kiongi
Contributor
‎2022-09-04 11:07 PM
In response to PhoneBoy
Jump to solution

Thank you for your feedback @PhoneBoy  I opened a TAC case in the meantime and here's the solution:

1. Perform a manual upgrade to the latest GA firmware for Centrally managed 1500 appliance - R80.20.50
2. Run in expert mode: sqlcmd "update adminRadius set enableDefaultShell ='true'"
3. In WebUI, go to Device->Advanced Settings->Filter for 'Administrators RADIUS authentication - Default Shell' and change the value to 'Bash'.:

 

I've tried it and it works.

(2)
PhoneBoy
Admin
Admin
‎2022-09-06 07:04 AM
In response to Leader_Kiongi
Jump to solution

Also looks like this is in R81.10.00 also.
Nice find! 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events