Authentication Servers

You can configure Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. to authenticate Gaia users even when they are not defined locally.

This is a good way of centrally managing the credentials of multiple Security Gateways.

To define non-local Gaia users, you define Gaia as a client of an authentication server.

Gaia supports these types of authentication servers:

Server	Description
RADIUS	RADIUS (Remote Authentication Dial-In User Service) is a client/server authentication system that supports remote-access applications. User profiles are kept in a central database on a RADIUS authentication server. Client computers or applications connect to the RADIUS server to authenticate users. You can configure your Gaia computer to connect to more than one RADIUS server. If the first server in the list is unavailable, the next RADIUS server in the priority list connects.
TACACS+	The TACACS+ (Terminal Access Controller Access Control System) authentication protocol users a remote server to authenticate users for Gaia. All information sent to the TACACS+ server is encrypted. Gaia supports TACACS+ for authentication only. Challenge-response authentication, such as S/Key, is not supported. You can configure TACACS+ support separately for different services. The Gaia Portal Web interface for the Check Point Gaia operating system. service is one of those, for which TACACS+ is supported and is configured as the HTTP service. When TACACS+ is configured for use with a service, Gaia contacts the TACACS+ server each time it needs to examine a user password. If the server fails or is unreachable, the user is authenticated via local password mechanism. If the user fails to authenticate via the local mechanism, the user is not allowed access. Note - For TACACS authentication to work on a Virtual System, see the R81 VSX Administration Guide.

Server

Description

RADIUS

RADIUS (Remote Authentication Dial-In User Service) is a client/server authentication system that supports remote-access applications. User profiles are kept in a central database on a RADIUS authentication server. Client computers or applications connect to the RADIUS server to authenticate users.

You can configure your Gaia computer to connect to more than one RADIUS server. If the first server in the list is unavailable, the next RADIUS server in the priority list connects.

TACACS+

The TACACS+ (Terminal Access Controller Access Control System) authentication protocol users a remote server to authenticate users for Gaia. All information sent to the TACACS+ server is encrypted.

Gaia supports TACACS+ for authentication only. Challenge-response authentication, such as S/Key, is not supported.

You can configure TACACS+ support separately for different services. The Gaia Portal Web interface for the Check Point Gaia operating system. service is one of those, for which TACACS+ is supported and is configured as the HTTP service. When TACACS+ is configured for use with a service, Gaia contacts the TACACS+ server each time it needs to examine a user password. If the server fails or is unreachable, the user is authenticated via local password mechanism. If the user fails to authenticate via the local mechanism, the user is not allowed access.

Note - For TACACS authentication to work on a Virtual System, see the R81 VSX Administration Guide.

When you configure Gaia OS to use several authentication methods, it uses them in this order:

RADIUS
TACACS+
Local

Authentication flow when a user enters the credentials:

Authenticate the user on the configured RADIUS servers.
- If successful, the user logs in.
- If failed, go to the next step.
Authenticate the user on the configured TACACS+ servers.
- If successful, the user logs in.
- If failed, go to the next step.
Authenticate the user based on the local configuration.
- If successful, the user logs in.
- If failed, deny the login.