Administrator Properties - General
What can I do here?
Configure and manage administrators, authentication methods and permissions.
|
Getting Here - SmartConsole > Manage & Settings > Permissions and Administrators > Administrators > New or double-click an account > General tab
Or:
SmartConsole for Multi-Domain Server > Multi Domain > Permissions and Administrators > Administrators > New or double-click an account > General tab
|
Configuring Administrator Properties
- Enter a unique name for the administrator - The user name property is required and case sensitive.
- Select an authentication method:
- Undefined users are not authenticated and access is always denied or authentication is based on a certificate (as defined in the Admin Certificates tab).
- SecurID users are challenged to enter the number displayed on the Security Dynamics SecurID card. There are no scheme-specific parameters for the SecurID authentication scheme. The Security Gateway acts as an ACE/Agent 5.0.
- Check Point Password means that users are challenged to enter the internal Check Point password on the gateway, defined here.
- Enter and confirm the password in the specified fields.
- OS Password users are challenged to enter their Operating System password for the Security Management Server.
- RADIUS users are challenged for the response, as defined by the RADIUS server.
- Select a Radius server from the list.
- TACACS passwords are forwarded to the TACACS server to determine whether access is allowed.
- Select a TACACS server from the list.
Note - For RADIUS AND TACACS authentication. If you generate a user certificate with a non-Check Point Certificate Authority, enter the Common Name (CN) component of the Distinguished Name (DN). For example, if the DN is: [CN = James, O = My Organization, C = My Country], enter James as the user name. If you use Common Names as user names, they must contain exactly one string with no spaces.
- Assign a permissions profile - When you configure an administrator, you must assign a permissions profile. A permissions profile is a predefined set of permissions that you assign to individual administrators. Complex, granular permissions for many administrators can be configured in one profile.
To create a new permissions profile, click .
- Set an expiration date - Assign an expiration date for each administrator or configure the account never to expire. After account expiration, the administrator cannot log in to SmartConsole (or SmartConsole clients such as SmartEvent).
Note: Account expiration has no effect on the OS administrator account. System administrators on the OS are different from administrators defined in SmartConsole for the Security Management Server.
Configuring Check Point Password Authentication for Administrators
These instructions show how to configure Check Point Password authentication for administrators.
Check Point password is a static password that is configured in SmartConsole. For administrators, the password is stored in the local database on the Security Management Server. For users, it is stored on the local database on the Security Gateway. No additional software is required.
To configure a Check Point password for a SmartConsole administrator:
- Go to > > .
- Click .
- The window opens.
- Give the administrator a name.
- In , select Check Point Password.
- Click , type the , and it.
- Assign a .
- Click .
- Click .
Click .
Configuring OS Password Authentication for Administrators
These instructions show how to configure OS Password Authentication for administrators.
OS Password is stored on the operating system of the computer on which the Security Gateway (for users) or Security Management Server (for administrators) is installed. You can also use passwords that are stored in a Windows domain. No additional software is required.
To configure an OS password for a SmartConsole administrator:
- Go to > > .
- Click .
- The window opens.
- Give the administrator a name.
- In , select OS Password.
- Assign a .
- Click .
- Click .
Click .
Configuring a RADIUS Server for Administrators
These instructions show how to configure a RADIUS server for SmartConsole administrators. To learn how to configure a RADIUS server, refer to the vendor documentation.
Remote Authentication Dial-In User Service (RADIUS) is an external authentication method that provides security and scalability by separating the authentication function from the access server.
Using RADIUS, the Security Gateway forwards authentication requests by remote users to the RADIUS server. For administrators, the Security Management Server forwards the authentication requests. The RADIUS server, which stores user account information, does the authentication.
The RADIUS protocol uses UDP to communicate with the gateway or the Security Management Server.
RADIUS servers and RADIUS server group objects are defined in SmartConsole.
To configure a RADIUS Server for a SmartConsole administrator:
- In SmartConsole, click > > > > .
- Configure the :
- Give the server a . It can be any name.
- Click and create a with the of the RADIUS server.
- Click .
- Make sure that this host shows in the field of the window.
- In the field, type the secret key that you defined previously on the RADIUS server.
- Click .
- Click .
- Add a new administrator:
- Go to > > .
- Click .
The window opens.
- Give the administrator the name that is defined on the RADIUS server.
- Assign a .
- In , select RADIUS.
- Select the defined earlier.
- Click .
- Click .
Configuring a SecurID Server for Administrators
These instructions show how to configure a SecurID server for SmartConsole administrators. To learn how to configure a SecurID server, refer to the vendor documentation.
SecurID requires users to both possess a token authenticator and to supply a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA ACE/server and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices, while software tokens reside on the PC or device from which the user wants to authenticate. All tokens generate a random, one-time use access code that changes approximately every minute. When a user attempts to authenticate to a protected resource, the one-time use code must be validated by the ACE/server.
Using SecurID, the Security Gateway forwards authentication requests by remote users to the ACE/server. For administrators, it is the Security Management Server that forwards the requests. ACE manages the database of RSA users and their assigned hard or soft tokens. The gateway or the Security Management Server act as an ACE/Agent 5.0 and direct all access requests to the RSA ACE/server for authentication. For additional information on agent configuration, refer to ACE/server documentation.
There are no specific parameters required for the SecurID authentication method.
To configure the Security Management Server for SecurID:
- Connect to the Security Management Server.
- Copy the
sdconf.rec
file to the /var/ace/
folder If the folder does not exist, create the folder.
- Give the
sdconf.rec
file full permissions. Run:chmod 777 sdconf.rec
To configure a SecurID Server for a SmartConsole administrator:
- In SmartConsole, click > > > > .
- Configure the :
- Give the server a . It can be any name.
- Click and select the
sdconf.rec
file. This must be a copy of the file that is on the Security Management Server. - Click .
- Add a new administrator:
- Go to > > .
- Click .
The window opens.
- Give the administrator a name.
- Assign a .
- In , select SecurID.
- In the SmartConsole Menu, click .
Configuring a TACACS Server for Administrators
These instructions show how to configure a TACACS server for SmartConsole administrators. To learn how to configure a TACACS server, refer to the vendor documentation.
To configure a TACACS Server for a SmartConsole administrator:
- In SmartConsole, click > > > > .
- Configure the :
- Give the server a . It can be any name.
- Click and create a with the of the TACACS server.
- Click .
- Make sure that this host shows in the field of the window.
- In the field, type the secret key that you defined previously on the TACACS server.
- Click .
- Click .
- Add a new administrator:
- Go to > > .
- Click .
The window opens.
- Give the administrator the name that is defined on the TACACS server.
- Assign a .
- In , select TACACS.
- Select the defined earlier.
- Click .
- Click .