There is a README file in the /etc/radius-dictionaries/ directory on a Gaia machine.
This file states the following:
This directory contains "dictionaries" that describe Check Point Vendor Specific Attributes (VSAs) used on this product. See the Check Point product documentation for more detail on what these VSAs are, what they mean, and how to use them. The way to get this information into your RADIUS server depends on the server. We've provided dictionaries that will hopefully work with a few of the RADIUS servers that are out there. For any other servers that we didn't cover, see the server vendor's documentation.
For example, in order to use Windows Server 2008 as a RADIUS server, refer to the relevant documentation from Microsoft.
Non-local users are defined on a RADIUS server and not in Gaia OS. When a non-local user logs in to Gaia OS, the RADIUS server authenticates the user and assigns the applicable permissions. You must configure the RADIUS server to correctly authenticate and authorize non-local users.
Note: If you define a RADIUS user with a null password (on the RADIUS server), Gaia OS will not be able to authenticate such user.
To configure a RADIUS server for non-local Gaia users:
Copy the applicable dictionary file to your RADIUS server and add the needed lines:
Steel-Belted RADIUS server
Copy the /etc/radius-dictionaries/checkpoint.dct file from Gaia OS to the Steel-Belted server's directory.
Add the following lines to vendor.ini file on RADIUS server (keep alphabetical order with the other vendor products in this file):
vendor-product = Check Point Gaia
dictionary = checkpoint
ignore-ports = no
port-number-usage = per-port-type
help-id = 2000
Add this line to dictiona.dcm file on RADIUS server: "@checkpoint.dct"
FreeRADIUS server
Copy /etc/radius-dictionaries/dictionary.checkpoint file from Gaia OS to /etc/freeradius/ on FreeRADIUS server.
Add this line to /etc/freeradius/dictionary:
"$INCLUDE /etc/freeradius/dictionary.checkpoint"
To add users edit the /etc/freeradius/users file.
Use "Tab" key and not "Space" on rows following a username.
Use comma "," after each command except the last command in the file.
Syntax of this file (if syntax is wrong, service will fail to start):
[User Defined Vendor]
Name=CheckPoint
IETF Code=2620
VSA 229=CP-Gaia-User-Role
VSA 230=CP-Gaia-SuperUser-Access
[CP-Gaia-User-Role]
Type=STRING
Profile=IN OUT
[CP-Gaia-SuperUser-Access]
Type=INTEGER
Profile=IN OUT
Windows RADIUS server (on Windows 2008)
Follow these steps on Windows RADIUS server (refer to "Related resources" below):
Go to 'Policies' tab.
Select the 'Settings' tab.
Select 'Vendor Specific'.
Click 'Add' and select 'Vendor-Specific'.
Click 'Add' to enter a new attribute.
Click 'Enter Vendor Code' and type '2620'.
Select 'Yes, it confirms'.
Click 'Configure Attribute...'.
Enter 'Vendor-assigned attribute number': For Windows RADIUS Server - '229'. For Windows NPS RADIUS - '230'.
Enter 'Attribute format': For Windows RADIUS Server - 'String'. For Windows NPS RADIUS - 'Decimal'.
Enter 'Attribute value': For Windows RADIUS Server - 'radius-group-RW'. For Windows NPS RADIUS - '1'.
Notes:
Gaia Portal requires UNIX-style userid "username@domain". Use of Microsoft-style userid "domain\username" at login may not work.
Note: Make sure the role names match the existing roles in the Gaia OS.
Define which Check Point users must have superuser access to the Gaia shell:
Add this Check Point Vendor-Specific Attribute to users into user configuration file on your RADIUS server: CP-Gaia-SuperUser-Access = <0|1>
where
0 - This user cannot receive superuser permissions
1 - This user can receive superuser permissions
To log in as a superuser: Note: This will work only on R75.40 Gaia+ and higher A user with supervisor permissions can use the Gaia shell to perform system-level operations, including working with the file system. On the RADIUS server, define a sudo user. Superuser permissions are defined in the Check Point Vendor-Specific Attributes (CP-Gaia-SuperUser-Access=1).
To get superuser permissions:
Log into the Gaia OS on the command line (over SSH / on Console).