- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Re: Expert mode for Gaia Embedded for RADIUS users
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Expert mode for Gaia Embedded for RADIUS users
Hello,
We’re now using RADIUS (Windows NPS) to authenticate administrators on our Check Point SMB devices using the commands below:
set radius-server priority 1 ipv4-address <Primary_RADIUS_Server_IP_Address> udp-port 1812 shared-secret <shared_key_1> timeout 3
set radius-server priority 2 ipv4-address <Secondary_RADIUS_Server_IP_Address> udp-port 1812 shared-secret <shared_key_2> timeout 3
set administrators radius-auth enable use-radius-roles true
We’d like to login directly in Expert Mode when we login to the firewall. Do you have an idea how we can achieve this ?
FYI, I've tried what was discussed in this post:
Solved: Activate bashUser via script on a Embedded Gaia de... - Check Point CheckMates
But this only works for local accounts, NOT for RADIUS users
Thanks !
Regards,
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your feedback @PhoneBoy I opened a TAC case in the meantime and here's the solution:
1. Perform a manual upgrade to the latest GA firmware for Centrally managed 1500 appliance - R80.20.50
2. Run in expert mode: sqlcmd "update adminRadius set enableDefaultShell ='true'"
3. In WebUI, go to Device->Advanced Settings->Filter for 'Administrators RADIUS authentication - Default Shell' and change the value to 'Bash'.:
I've tried it and it works.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The "bashUser" script tries to twiddle a database entry for the specified (or current) user to change the shell to bash.
That fails on RADIUS users since there's no db entry (/etc/passwd or otherwise).
Which means: if there is a supported method to allow this, it will be via a different method.
I suspect, however, this is an RFE.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of course, you can always create an authentication database entry for a given user. Just don't give the user a password, and authentication will fall through to RADIUS. This gives you full control over their UID, GID, home directory, login shell, everything on a per-user basis.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @Bob_Zimmerman for your feedback I opened a TAC case in the meantime and here's the solution:
1. Perform a manual upgrade to the latest GA firmware for Centrally managed 1500 appliance - R80.20.50
2. Run in expert mode: sqlcmd "update adminRadius set enableDefaultShell ='true'"
3. In WebUI, go to Device->Advanced Settings->Filter for 'Administrators RADIUS authentication - Default Shell' and change the value to 'Bash'.:
I've tried it and it works.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your feedback @PhoneBoy I opened a TAC case in the meantime and here's the solution:
1. Perform a manual upgrade to the latest GA firmware for Centrally managed 1500 appliance - R80.20.50
2. Run in expert mode: sqlcmd "update adminRadius set enableDefaultShell ='true'"
3. In WebUI, go to Device->Advanced Settings->Filter for 'Administrators RADIUS authentication - Default Shell' and change the value to 'Bash'.:
I've tried it and it works.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also looks like this is in R81.10.00 also.
Nice find!