Configuring RADIUS Servers

Configuring RADIUS Servers in Gaia Portal

Important - On Scalable Platforms (Maestro and Chassis), you must connect to the Gaia PortalClosed Web interface for the Check Point Gaia operating system. of the applicable Security Group.

Step

Instructions

1

In the navigation tree, click User Management > Authentication Servers.

2

In the RADIUS Servers section, click Add.

3

Enter the RADIUS Server parameters:

  • Priority

    The RADIUS server priority is an integer between -999 and 999 (default is 0).

    When there two or more configured RADIUS servers, GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. connects to the RADIUS server with the highest priority.

    Low numbers have the higher priority.

  • Host

    Host name or IP address (IPv4 or IPv6) of RADIUS server.

  • UDP Port

    UDP port used on RADIUS server.

    The default port is 1812 as specified by the RADIUS standard.

    The range of valid port numbers is from 1 to 65535.

    Port 1645 is non-standard, but is commonly used as alternative to port 1812.

    Warning - Firewall software frequently blocks traffic on port 1812. Make sure that you define a Firewall ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to allow traffic on UDP port 1812 between the RADIUS server and Gaia.

  • Shared Secret

    Shared secret used for authentication between the RADIUS server and the Gaia client.

    Enter the shared secret text string up to 256 characters, without any whitespace characters and without a backslash.

    Make sure that the shared string defined on the Gaia matches the shared string defined on the RADIUS server.

    RFC 2865 recommends that the secret be at least 16 characters in length.

    Some RADIUS servers have a maximum string length for shared secret of 15 or 16 characters.

    See the documentation for your RADIUS server.

  • Timeout in

    Optional: Enter the timeout in seconds (from 1 to 5), during which Gaia waits for the RADIUS server to respond. The default value is 3.

    If there is no response after the configured timeout, Gaia tries to connect to a different configured RADIUS server.

    Set this timeout, so that the sum of all RADIUS server timeouts is less than 50.

4

Click OK.

5

Optional: Select the Network Access Server (NAS) IP address.

This setting applies to all configured RADIUS servers.

This parameter records the IP address, from which Gaia sends the RADIUS packet.

This IP address is stored in the RADIUS packet, even when the packet goes through NAT, or some other address translation that changes the source IP address of the packet.

The "NAS-IP-Address" is defined in RFC 2865.

If no NAS IP Address is chosen, the IPv4 address of the Gaia Management InterfaceClosed (1) Interface on a Gaia Security Gateway or Cluster member, through which Management Server connects to the Security Gateway or Cluster member. (2) Interface on Gaia computer, through which users connect to Gaia Portal or CLI. is used (click Network Management > Network Interfaces > see the Management Interface section).

6

Optional: Select RADIUS Users Default Shell (for details about the shells, see Users).

This setting applies to all configured RADIUS servers.

7

Optional: Select the Super User ID - 0 or 96.

This setting applies to all configured RADIUS servers.

If the UID is 0, there is no need to run the sudo command to get super user permissions (see Configuring RADIUS Servers for Non-Local Gaia Users).

8

Click Apply.

Step

Instructions

1

In the navigation tree, click User Management > Authentication Servers.

2

Select the RADIUS server.

3

Click Edit.

4

You can edit only the Host, UDP Port, Shared secret, and Timeout.

5

Click OK.

Step

Instructions

1

In the navigation tree, click User Management > Authentication Servers.

2

Select the RADIUS server.

3

Click Delete.

4

Click OK to confirm.

Configuring RADIUS Servers in Gaia Clish

Important - On Scalable Platforms (Maestro and Chassis), you must run the applicable commands in Gaia gClish of the applicable Security Group.

Description

Use the "aaa radius-servers" commands to add, configure, and delete RADIUS authentication servers.

Syntax

add aaa radius-servers priority <Priority> host <Hostname, or IP Address of RADIUS Server> [port <1-65535>]
      prompt-secret timeout <1-50>
      secret <Shared Secret> timeout <1-50>
 
set aaa radius-servers priority <Priority>
      host <Hostname, or IP Address of RADIUS Server>
      new-priority <New Priority>
      port <1-65535>
      prompt-secret
      secret <Shared Secret>
      timeout <1-50>
 
set aaa radius-servers
      NAS-IP<SPACE><TAB>
      default-shell<SPACE><TAB>
      super-user-uid <0 | 96>

show aaa radius-servers list 

show aaa radius-servers priority <Priority>
      host
      port
      timeout
 
show aaa radius-servers
      NAS-IP
      default-shell
      super-user-uid
 
delete aaa radius-servers
      priority <Priority>
 
delete aaa radius-servers
      NAS-IP

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Parameters

Parameter

Description

priority <Priority>

Configures the RADIUS server priority. Enter an integer between -999 and 999 (default is 0).

When there two or more configured RADIUS servers, Gaia connects to the RADIUS server with the highest priority.

Low numbers have the higher priority.

new-priority <New Priority>

Configures the new priority for the RADIUS server.

host <Hostname, or IP Address of RADIUS Server>

Configures the Host name or IP address (IPv4 or IPv6) of RADIUS server.

port <1-65535>

Configures the UDP port used on RADIUS server.

The default port is 1812 as specified by the RADIUS standard.

The range of valid port numbers is from 1 to 65535. Port 1645 is non-standard, but is commonly used as alternative to port 1812.

Warning - Firewall software frequently blocks traffic on port 1812. Make sure that you define a Firewall rule to allow traffic on UDP port 1812 between the RADIUS server and Gaia.

prompt secret

The system will prompt you to enter the Shared Secret.

secret <Shared Secret>

Configures the shared secret used for authentication between the RADIUS server and the Gaia.

Enter the shared secret text string up to 256 characters, without any whitespace characters and without a backslash.

Make sure that the shared string defined on the Gaia matches the shared string defined on the RADIUS server.

RFC 2865 recommends that the secret be at least 16 characters in length.

Some RADIUS servers have a maximum string length for shared secret of 15 or 16 characters.

See the documentation for your RADIUS server.

timeout <1-50>

Configures the timeout in seconds (from 1 to 5), during which Gaia waits for the RADIUS server to respond.

The default value is 3.

If there is no response after the configured timeout, Gaia tries to connect to a different configured RADIUS server.

Set this timeout, so that the sum of all RADIUS server timeouts is less than 50.

default-shell<SPACE><TAB>

Optional: Configures the default shell for RADIUS Users (for details about the shells, see Users).

super-user-uid <0 | 96>

Optional: Configures the UID for the RADIUS super user.

If the UID is 0, there is no need to run the sudo command to get super user permissions (see Configuring RADIUS Servers for Non-Local Gaia Users).

NAS-IP<SPACE><TAB>

Optional: This parameter records the IP address, from which Gaia sends the RADIUS packet.

This IP address is stored in the RADIUS packet, even when the packet goes through NAT, or some other address translation that changes the source IP address of the packet.

The "NAS-IP-Address" is defined in RFC2865.

If no NAS IP Address is chosen, the IPv4 address of the Gaia Management Interface is used (run the "show management interface" command).