Print Download PDF Send Feedback

Previous

Next

Configuring RADIUS Servers for Non-Local Gaia Users

Non-local users can be defined on a RADIUS server and not in Gaia. When a non-local user logs in to Gaia, the RADIUS server authenticates the user and assigns the applicable permissions. You must configure the RADIUS server to correctly authenticate and authorize non-local users.

Note - If you define a RADIUS user with a null password (on the RADIUS server), Gaia cannot authenticate that user.

To configure a RADIUS server for non-local Gaia users:

In addition, see sk72940.

Step

Instructions

1

Copy the applicable dictionary file to your RADIUS server.

 

Examples:

 

Steel-Belted RADIUS server:

  1. Copy this file from the Gaia to the RADIUS server:

    /etc/radius-dictionaries/checkpoint.dct

  2. Add these lines to the vendor.ini file on the RADIUS server (keep in alphabetical order with the other vendor products in this file):

    vendor-product = Check Point Gaia
    dictionary = nokiaipso
    ignore-ports = no
    port-number-usage = per-port-type
    help-id = 2000

  3. Add this line to the dictiona.dcm file:

    "@checkpoint.dct"

 

FreeRADIUS server:

  1. Copy this file from the Gaia to the RADIUS server to the /etc/freeradius/ directory:

    /etc/radius-dictionaries/dictionary.checkpoint

  2. Add this line to the /etc/freeradius/dictionary file:

    "$INCLUDE dictionary.checkpoint"

 

OpenRADIUS server:

  1. Copy this file from the Gaia to the RADIUS server to the /etc/openradius/subdicts/ directory:

    /etc/radius-dictionaries/dict.checkpoint

  2. Add this line /etc/openradius/dictionaries file immediately after the dict.ascend:

    $include subdicts/dict.checkpoint

2

Define the user roles on Gaia.

Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

CP-Gaia-User-Role = "role1,role2,...

For example:

CP-Gaia-User-Role = "adminrole, backuprole, securityrole"

3

Define the Check Point users that must have superuser access to the Gaia shell. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

  • If this user should not receive superuser permissions:

    CP-Gaia-SuperUser-Access = 0

  • If this user can receive superuser permissions:

    CP-Gaia-SuperUser-Access = 1

To log in as a superuser:

A user with super user permissions can use the Gaia shell to do system-level operations, including working with the file system. Super user permissions are defined in the Check Point Vendor-Specific Attributes.

Users that have a UID of 0 have super user permissions. They can run all the commands that the root user can run. Users that have a UID of 96 must run the sudo command to get super user permissions. The UIDs of all non-local users are defined in the /etc/passwd file.

To get super user permissions (for users that have a UID of 96):

Step

Description

1

Connect to the command line on Gaia.

2

Log in to Expert mode.

3

Run:

sudo /usr/bin/su -

The user now has superuser permissions.

13 February 2022
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2021 Check Point Software Technologies Ltd. All rights reserved.