Configuring Authentication Methods for Administrators

These instructions show how to configure authentication methods for administrators. For users, see Configuring Authentication Methods for Users.

For background information about the authentication methods, see Authentication Methods for Users and Administrators.

Configuring Check Point Password Authentication for Administrators

These instructions show how to configure Check Point Password authentication for administrators.

Check Point password is a static password that is configured in SmartConsole. For administrators, the password is stored in the local database on the Security Management Server. For users, it is stored on the local database on the Security Gateway. No additional software is required.

Configuring OS Password Authentication for Administrators

These instructions show how to configure OS Password Authentication for administrators.

OS Password is stored on the operating system of the computer on which the Security Gateway (for users) or Security Management Server (for administrators) is installed. You can also use passwords that are stored in a Windows domain. No additional software is required.

Configuring a RADIUS Server for Administrators

These instructions show how to configure a RADIUS server for SmartConsole administrators. To learn how to configure a RADIUS server, refer to the vendor documentation.

Remote Authentication Dial-In User Service (RADIUS) is an external authentication method that provides security and scalability by separating the authentication function from the access server.

Using RADIUS, the Security Gateway forwards authentication requests by remote users to the RADIUS server. For administrators, the Security Management Server forwards the authentication requests. The RADIUS server, which stores user account information, does the authentication.

The RADIUS protocol uses UDP to communicate with the Security Gateway or the Security Management Server.

RADIUS servers and RADIUS server group objects are defined in SmartConsole.

To configure a RADIUS Server for a SmartConsole administrator

Configuring a SecurID Server for Administrators

These instructions show how to configure a SecurID server for SmartConsole administrators. To learn how to configure a SecurID server, refer to the vendor documentation.

SecurID requires users to both possess a token authenticator and to supply a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA Authentication Manager (AM) and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices, while software tokens reside on the PC or device from which the user wants to authenticate. All tokens generate a random, one-time use access code that changes approximately every minute. When a user attempts to authenticate to a protected resource, the one-time use code must be validated by the AM.

Using SecurID, the Security Gateway forwards authentication requests by remote users to the AM. For administrators, it is the Security Management Server that forwards the requests. The AM manages the database of RSA users and their assigned hard or soft tokens. The Security Gateway or the Security Management Server act as an AM agent and direct all access requests to the RSA RM for authentication. For additional information on agent configuration, refer to RSA Authentication Manager documentation.

There are no specific parameters required for the SecurID authentication method. Authentication requests can be sent over SDK-supported API or through REST API.

To configure the Security Management Server for SecurID (this procedure is only relevant if you are using an SDK-supported API)

  1. Connect to the Security Management Server.

  2. Copy the sdconf.rec file to the /var/ace/ directory.

    If the /var/ace/ directory does not exist, create it with this command:

    mkdir -v /var/ace/

  3. Assign all permissions to the sdconf.rec file:

    chmod -v 777 /var/ace/sdconf.rec

To configure a SecurID Server for a SmartConsole administrator

  1. In SmartConsole, click Objects > More Object Types > Server > More > New SecurID.

  2. Configure the SecurID Properties:

    1. Give the server a Name. It can be any name.

    2. This step is relevant for SDK-supported API only: Click Browse and select the sdconf.rec file. This must be a copy of the file that is on the Security Management Server.

    3. Click OK.

  3. Add a new administrator:

    1. Go to Manage & Settings > Permissions & Administrators > Administrators.

    2. Click New.

      The New Administrator window opens.

    3. Give the administrator a name.

    4. Assign a Permission Profile.

    5. In Authentication method, select SecurID.

  4. In the SmartConsole Menu, click Install Database.

Configuring a TACACS Server for Administrators

These instructions show how to configure a TACACS server for SmartConsole administrators. To learn how to configure a TACACS server, refer to the vendor documentation.

To configure a TACACS Server for a SmartConsole administrator

  1. In SmartConsole, click Objects > More Object Types > Server > More > New TACACS.

  2. Configure the TACACS Server Properties:

    1. Give the server a Name. It can be any name.

    2. Click New and create a New Host with the IP address of the TACACS server.

    3. Click OK.

    4. Make sure that this host shows in the Host field of the TACACS Server Properties window.

    5. In the Shared Secret field, type the secret key that you defined previously on the TACACS server.

    6. Click OK.

    7. Publish the SmartConsole session.

  3. Add a new administrator:

    1. Go to Manage & Settings > Permissions & Administrators > Administrators.

    2. Click New.

      The New Administrator window opens.

    3. Give the administrator the name that is defined on the TACACS server.

    4. Assign a Permission Profile.

    5. In Authentication method, select TACACS.

    6. Select the TACACS Server defined earlier.

    7. Click OK.

  4. Publish the SmartConsole session.

Configuring API key authentication for administrators

You can use SmartConsole to configure an API key for administrators to use the management API.

Note - This administrator can only use the API for executing API commands and cannot be used for SmartConsole authentication.