Configuring Authentication Methods for Administrators

These instructions show how to configure authentication methods for administrators. For information on user authentication, see Managing User Accounts.

For background information about the authentication methods, see Authentication Methods for Users and Administrators.

Configuring Check Point Password Authentication for Administrators

Check Point password is a static password that is configured in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. For administrators, the password is stored in the local database on the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.. For users, it is stored on the local database on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. No additional software is required.

Configuring OS Password Authentication for Administrators

These instructions show how to configure OS Password Authentication for administrators.

OS Password is stored on the operating system of the computer on which the Security Gateway (for users) or Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. (for administrators) is installed. You can also use passwords that are stored in a Windows domain. No additional software is required.

Configuring RADIUS Server Authentication for Administrators

You can perform RADIUS authentication for SmartConsole administrators through a RADIUS server or a RADIUS server group. A RADIUS server group is a high availability group of identical RADIUS servers which includes any or all the RADIUS servers in the system. When you create the group, you define a priority for each server in the group. If the server with the highest priority fails, the one with the next highest priority in the group takes over, and so on. Note - When defining a group of RADIUS servers, all members of the group must use the same protocol.

To learn how to configure a RADIUS server, refer to the vendor documentation.

To configure a RADIUS Server for SmartConsole administrator authentication

To configure a RADIUS server group for SmartConsole administrator authentication

  1. In SmartConsole, configure all the servers that you want to include in the server group, as explained in To configure a RADIUS Server for SmartConsole administrator authentication. For each server, enter its priority in the group. The lower the number is, the higher the priority. For example, if you create a group with 3 servers, with priorities 1,2 and 3, the server with number 1 is approached first, the server with number 2 second, and the server with number 3, third.

  2. Create the server group: In SmartConsole, go to Object Explorer and click New > Server > More > RADIUS Group.
  3. Configure the group properties and add servers to the group:

    1. Give the group a Name. It can be any name.

    2. Click the plus (+) for each server you want to add, and select each server from the drop-down list.

    3. Click OK.

    4. Publish the SmartConsole session.

  4. Add a new administrator as explained in To configure a RADIUS Server for SmartConsole administrator authentication.

  5. Publish the SmartConsole session.

Configuring SecurID Server Authentication for Administrators

These instructions show how to configure a SecurID server for SmartConsole administrators. To learn how to configure a SecurID server, refer to the vendor documentation.

SecurID requires users to both possess a token authenticator and to supply a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA Authentication Manager (AM) and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices, while software tokens reside on the PC or device from which the user wants to authenticate. All tokens generate a random, one-time use access code that changes approximately every minute. When a user attempts to authenticate to a protected resource, the one-time use code must be validated by the AM.

Using SecurID, the Security Gateway forwards authentication requests by remote users to the AM. For administrators, it is the Security Management Server that forwards the requests. The AM manages the database of RSA users and their assigned hard or soft tokens. The Security Gateway or the Security Management Server act as an AM agent and direct all access requests to the RSA RM for authentication. For additional information on agent configuration, refer to RSA Authentication Manager documentation.

There are no specific parameters required for the SecurID authentication method. Authentication requests can be sent over SDK-supported API or through REST API.

To configure the Security Management Server for SecurID (this procedure is only relevant if you are using an SDK-supported API)

  1. Connect to the Security Management Server.

  2. Copy the sdconf.rec file to the /var/ace/ directory.

    If the /var/ace/ directory does not exist, create it with this command:

    mkdir -v /var/ace/

  3. Assign all permissions to the sdconf.rec file:

    chmod -v 777 /var/ace/sdconf.rec

To configure a SecurID Server for a SmartConsole administrator

  1. In SmartConsole, click Objects > More Object Types > Server > More > New SecurID.

  2. Configure the SecurID Properties:

    1. Give the server a Name. It can be any name.

    2. This step is relevant for SDK-supported API only: Click Browse and select the sdconf.rec file. This must be a copy of the file that is on the Security Management Server.

    3. Click OK.

  3. Add a new administrator:

    1. Go to Manage & Settings > Permissions & Administrators > Administrators.

    2. Click New.

      The New Administrator window opens.

    3. Give the administrator a name.

    4. Assign a Permission Profile.

    5. In Authentication method, select SecurID.

  4. In the SmartConsole Menu, click Install Database.

Configuring TACACS Server Authentication for Administrators

You can perform TACACS authentication for SmartConsole administrators through a TACACS server or a TACACS server group. A TACACS server group is a High Availability group of identical TACACS servers in the system. When you create the group, you define a priority for each server. If the server with the highest priority fails, the one with the next highest priority in the group takes over, and so on.

Note - All TACACS servers in the group must use the same protocol.

To learn how to configure a TACACS server, refer to the vendor documentation.

To configure a TACACS server for SmartConsole administrator authentication

To configure a TACACS Server group for SmartConsole administrator authentication

  1. In SmartConsole, configure all the servers that you want to include in the server group, as explained in To configure a TACACS server for SmartConsole administrator authentication. For each server, enter its priority in the group. The lower the number is, the higher the priority. For example, if you create a group with 3 servers, with priorities 1,2 and 3, the server with number 1 is approached first, the server with number 2 second, and the server with number 3, third.

  2. Create the server group: In SmartConsole, go to Object Explorer and click New > Server > More > TACACS Group.
  3. Configure the group properties and add servers to the group:

    1. Enter the group Name.

    2. Click the + icon for each server you want to add, and select the server from the drop-down list.

    3. Click OK.

    4. Publish the SmartConsole session.

  4. Add a new administrator, according to the instructions in To configure a TACACS server for SmartConsole administrator authentication

  5. Publish the SmartConsole session.

Configuring API key authentication for administrators

You can use SmartConsole to configure an API key for administrators to use the management API.

Note - This administrator can only use the API for executing API commands and cannot be used for SmartConsole authentication.