Configuring RADIUS Servers for Non-Local Gaia Users

Non-local users can be defined on a RADIUS server and not in GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems..

When a non-local user logs in to Gaia, the RADIUS server authenticates the user and assigns the applicable permissions.

You must configure the RADIUS server to correctly authenticate and authorize non-local users.

Important - If you define a RADIUS user with a null password (on the RADIUS server), Gaia cannot authenticate that user.

In addition, see sk72940.

Step

Instructions

1

Copy the applicable dictionary file to your RADIUS server.

 

  1. Copy this file from the Gaia to the RADIUS server:

    /etc/radius-dictionaries/checkpoint.dct

  2. Add these lines to the vendor.ini file on the RADIUS server (keep in alphabetical order with the other vendor products in this file):

    vendor-product = Check Point Gaia
    dictionary = nokiaipso
    ignore-ports = no
    port-number-usage = per-port-type
    help-id = 2000

  3. Add this line to the dictiona.dcm file:

    "@checkpoint.dct"

 

  1. Copy this file from the Gaia to the RADIUS server to the /etc/freeradius/ directory:

    /etc/radius-dictionaries/dictionary.checkpoint

  2. Add this line to the /etc/freeradius/dictionary file:

    "$INCLUDE dictionary.checkpoint"

 

  1. Copy this file from the Gaia to the RADIUS server to the /etc/openradius/subdicts/ directory:

    /etc/radius-dictionaries/dict.checkpoint

  2. Add this line /etc/openradius/dictionaries file immediately after the dict.ascend:

    $include subdicts/dict.checkpoint

2

Define the user roles on Gaia.

Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

CP-Gaia-User-Role = "role1,role2,...

For example:

CP-Gaia-User-Role = "adminrole, backuprole, securityrole"

3

Define the Check Point users that must have superuser access to the Gaia shell.

Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

  • If this user should not receive superuser permissions:

    CP-Gaia-SuperUser-Access = 0

  • If this user can receive superuser permissions:

    CP-Gaia-SuperUser-Access = 1

A user with super user permissions can use the Gaia shell to do system-level operations, including working with the file system.

Super user permissions are defined in the Check Point Vendor-Specific Attributes.

Users that have a UID of 0 have super user permissions.

They can run all the commands that the root user can run.

Users that have a UID of 96 must run the sudo command to get super user permissions.

The UIDs of all non-local users are defined in the /etc/passwd file.

Important - On Scalable Platforms (Maestro and Chassis), you must run the applicable commands in the Expert mode on the applicable Security Group.

Step

Instructions

1

Connect to the command line on Gaia.

2

Log in to the Expert mode.

3

Run:

sudo /usr/bin/su -

The user now has superuser permissions.