Table of Contents:

• Background
• Related solution
• Configuration
• Additional related solutions

 

Background

There is a README file in the /etc/radius-dictionaries/ directory on a Gaia machine.

This file states the following:

This directory contains "dictionaries" that describe Check Point Vendor Specific Attributes (VSAs) used on this product. See the Check Point product documentation for more detail on what these VSAs are, what they mean, and how to use them. The way to get this information into your RADIUS server depends on the server. We've provided dictionaries that will hopefully work with a few of the RADIUS servers that are out there. For any other servers that we didn't cover, see the server vendor's documentation.

For example, in order to use Windows Server 2008 as a RADIUS server, refer to the relevant documentation from Microsoft.

 

Related solution

• sk87005 - RADIUS authentication with non-local users on Gaia OS is not working

 

Configuration

Configure special attributes on the RADIUS server for Non-Local Users, as shown below for several known RADIUS servers:

RADIUS server	Dictionary file on Gaia OS	Dictionary file on RADIUS server
Juniper Networks Steel-Belted Radius Server	/etc/radius-dictionaries/checkpoint.dct	Steel-Belted server's installation directory
FreeRADIUS server	/etc/radius-dictionaries/dictionary.checkpoint	/etc/freeradius/
OpenRADIUS server	/etc/radius-dictionaries/dict.checkpoint	/etc/openradius/subdicts/
Cisco RADIUS server	---	For ACS 5 and TACACS+, refer to sk105542 and sk98733 For ACS 4.2, edit the ACS 4.2 dictionary file
Windows RADIUS server (on Windows 2008)	---	---
VASCO IDENTIKEY Authentication RADIUS server	/etc/radius-dictionaries/dict.checkpoint	C:\Program Files\VASCO\Identikey <VERSION>\bin\radius.dct

Non-local users are defined on a RADIUS server and not in Gaia OS. When a non-local user logs in to Gaia OS, the RADIUS server authenticates the user and assigns the applicable permissions. You must configure the RADIUS server to correctly authenticate and authorize non-local users.

Note: If you define a RADIUS user with a null password (on the RADIUS server), Gaia OS will not be able to authenticate such user.

To configure a RADIUS server for non-local Gaia users:

1. Copy the applicable dictionary file to your RADIUS server and add the needed lines:
   
   

   Steel-Belted RADIUS server

   1. Copy the /etc/radius-dictionaries/checkpoint.dct file from Gaia OS to the Steel-Belted server's directory.
      
      
   2. Add the following lines to vendor.ini file on RADIUS server (keep alphabetical order with the other vendor products in this file):

      vendor-product = Check Point Gaia
      dictionary = checkpoint
      ignore-ports = no
      port-number-usage = per-port-type
      help-id = 2000
      

   3. Add this line to dictiona.dcm file on RADIUS server: "@checkpoint.dct"

   
   
   

   FreeRADIUS server

   1. Copy /etc/radius-dictionaries/dictionary.checkpoint file from Gaia OS to /etc/freeradius/ on FreeRADIUS server.
      
      
   2. Add this line to /etc/freeradius/dictionary:

      "$INCLUDE /etc/freeradius/dictionary.checkpoint"

   3. To add users edit the /etc/freeradius/users file.

      • Use "Tab" key and not "Space" on rows following a username.
      • Use comma "," after each command except the last command in the file.

   Syntax of this file (if syntax is wrong, service will fail to start):

   Example of syntax:

   Cleartext-Password := vpn123,
   CP-Gaia-User-Role = RADIUS-P1-ADMIN,
   CP-Gaia-SuperUser-Access = 1
   

   1. Restart the service:

      service freeradius restart

   
   
   

   OpenRADIUS server

   1. Copy the /etc/radius-dictionaries/dict.checkpoint file from Gaia OS to /etc/openradius/subdicts/ on OpenRADIUS server.
      
      
   2. Add this line to /etc/openradius/dictionaries (right after dict.ascend):

      "$include subdicts/dict.checkpoint"

   
   
   

   For Cisco ACS 5 RADIUS server

   As a general reference, refer to sk105542 - How to configure a RADIUS server on Cisco ACS for authentication with Gaia OS and to sk98733 - Best practices to configure Cisco ACS 5 server for TACACS+ authentication with Gaia
   
   

   For Cisco ACS 4.2 RADIUS server

   Edit the ACS 4.2 dictionary file:

   [User Defined Vendor]
   Name=CheckPoint
   IETF Code=2620
   VSA 229=CP-Gaia-User-Role
   VSA 230=CP-Gaia-SuperUser-Access
   
   [CP-Gaia-User-Role]
   Type=STRING
   Profile=IN OUT
   
   [CP-Gaia-SuperUser-Access]
   Type=INTEGER
   Profile=IN OUT
   

   
   
   

   Windows RADIUS server (on Windows 2008)

   Follow these steps on Windows RADIUS server (refer to "Related resources" below):

   1. Go to 'Policies' tab.
      
      
   2. Select the 'Settings' tab.
      
      
   3. Select 'Vendor Specific'.
      
      
   4. Click 'Add' and select 'Vendor-Specific'.
      
      
   5. Click 'Add' to enter a new attribute.
      
      
   6. Click 'Enter Vendor Code' and type '2620'.
      
      
   7. Select 'Yes, it confirms'.
      
      
   8. Click 'Configure Attribute...'.
      
      
   9. Enter 'Vendor-assigned attribute number':
      For Windows RADIUS Server - '229'.
      For Windows NPS RADIUS - '230'.
      
      
   10. Enter 'Attribute format':
       For Windows RADIUS Server - 'String'.
       For Windows NPS RADIUS - 'Decimal'.
       
       
   11. Enter 'Attribute value':
       For Windows RADIUS Server - 'radius-group-RW'.
       For Windows NPS RADIUS - '1'.

   
   
   Notes:
   

   • Gaia Portal requires UNIX-style userid "username@domain".
     Use of Microsoft-style userid "domain\username" at login may not work.

   
   
   Related resources:
   

   • RADIUS Server on Windows Server 2008
   • Network Policy Server (NPS) RADIUS on Windows Server 2008
   • Configure a Custom VSA
   • Custom VSA example

   
   
   

   VASCO IDENTIKEY Authentication RADIUS server

   1. Edit the IDENTIKEY Authentication Server dictionary file with a text editor.
      
      By default, this dictionary is stored in the file:
      C:\Program Files\VASCO\Identikey <VERSION>\bin\radius.dct
      
      
   2. Copy the contents of Check Point dictionary file into the IDENTIKEY Authentication Server dictionary file.
      
      Refer to C:\Program Files\VASCO\Identikey <VERSION>\bin\readme.dct file for details on the syntax to be used in the radius.dct file.
      
      
   3. Open the 'Active Directory Users and Computers' (ADUC) console.
      
      
   4. Right-click and select the option 'Digipass Extension RADIUS Settings'.
      
      
   5. Select the RADIUS dictionary file to use.
      
      By default, this dictionary is stored in the file: C:\Program Files\VASCO\Identikey <VERSION>\bin\radius.dct
      
      
   6. Restart the 'Active Directory Users and Computers' (ADUC) console to activate the modified dictionary file.
      
      Note: Beware to load the modified radius.dct file in all ADUCs if you administer the VASCO data on multiple machines.

   
   
   Related resources:
   

   • How to configure vendor specific RADIUS reply Attributes in IDENTIKEY Authentication Server 3.2 with AD datastore?
   • DIGIPASS Authentication for Check Point Security Gateways

   
   
   
2. Define the user roles:

   Add this Check Point Vendor-Specific Attribute to users into user configuration file on your RADIUS server:
   
   CP-Gaia-User-Role = "role1, role2, role3, ..."

   Example:
   CP-Gaia-User-Role = "adminrole, backuprole, securityrole"

   Note: Make sure the role names match the existing roles in the Gaia OS.
   
   
3. Define which Check Point users must have superuser access to the Gaia shell:

   Add this Check Point Vendor-Specific Attribute to users into user configuration file on your RADIUS server:
   CP-Gaia-SuperUser-Access = <0|1>
   
   where

   • 0 - This user cannot receive superuser permissions
   • 1 - This user can receive superuser permissions

   To log in as a superuser:
   Note: This will work only on R75.40 Gaia+ and higher
   A user with supervisor permissions can use the Gaia shell to perform system-level operations, including working with the file system.
   On the RADIUS server, define a sudo user.
   Superuser permissions are defined in the Check Point Vendor-Specific Attributes (CP-Gaia-SuperUser-Access=1).

4. To get superuser permissions:

   1. Log into the Gaia OS on the command line (over SSH / on Console).
   2. Log in to Expert mode (to go to the Gaia shell).
   3. Run this command:
      [Expert@HostName]# sudo bash

   The user now has superuser permissions.

 

Additional related solutions

• sk93309 - Troubleshooting RADIUS authentication related issues in Gaia
• sk105542 - How to configure a RADIUS server on Cisco ACS for authentication with Gaia OS
• sk98733 - Best practices to configure Cisco ACS 5 server for TACACS+ authentication with Gaia
• sk113052 - RBA roles for RADIUS authentication with Cisco ACS are not enforced correctly on Gaia OS
• sk98958 - RADIUS user connects with UID 96 although 0 is configured, and not able to run any command
• sk98874 - RADIUS user cannot log in to WebUI or SSH in Gaia
• sk31692 - RADIUS/SecurID packets are being picked up by an implied rule instead of being encrypted