Support Center > Search Results > SecureKnowledge Details
How to configure RADIUS server for authentication on Gaia OS
Solution

Table of Contents:

  • Background
  • Related solution
  • Configuration
  • Additional related solutions

 

Background

There is a README file in the /etc/radius-dictionaries/ directory on a Gaia machine.

This file states the following:

This directory contains "dictionaries" that describe Check Point Vendor Specific Attributes (VSAs) used on this product. See the Check Point product documentation for more detail on what these VSAs are, what they mean, and how to use them. The way to get this information into your RADIUS server depends on the server. We've provided dictionaries that will hopefully work with a few of the RADIUS servers that are out there. For any other servers that we didn't cover, see the server vendor's documentation.

For example, in order to use Windows Server 2008 as a RADIUS server, refer to the relevant documentation from Microsoft.

 

 

Configuration

Configure special attributes on the RADIUS server for Non-Local Users, as shown below for several known RADIUS servers:

RADIUS server Dictionary file on Gaia OS Dictionary file on RADIUS server
Juniper Networks Steel-Belted Radius Server /etc/radius-dictionaries/checkpoint.dct Steel-Belted server's installation directory
FreeRADIUS server /etc/radius-dictionaries/dictionary.checkpoint /etc/freeradius/
OpenRADIUS server /etc/radius-dictionaries/dict.checkpoint /etc/openradius/subdicts/
Cisco RADIUS server ---
  • For ACS 5 and TACACS+, refer to sk105542 and sk98733
  • For ACS 4.2, edit the ACS 4.2 dictionary file
Windows RADIUS server (on Windows 2008) --- ---
VASCO IDENTIKEY Authentication RADIUS server /etc/radius-dictionaries/dict.checkpoint C:\Program Files\VASCO\Identikey <VERSION>\bin\radius.dct

Non-local users are defined on a RADIUS server and not in Gaia OS. When a non-local user logs in to Gaia OS, the RADIUS server authenticates the user and assigns the applicable permissions. You must configure the RADIUS server to correctly authenticate and authorize non-local users.

Note: If you define a RADIUS user with a null password (on the RADIUS server), Gaia OS will not be able to authenticate such user.

To configure a RADIUS server for non-local Gaia users:

  1. Copy the applicable dictionary file to your RADIUS server and add the needed lines:

    Steel-Belted RADIUS server
    1. Copy the /etc/radius-dictionaries/checkpoint.dct file from Gaia OS to the Steel-Belted server's directory.

    2. Add the following lines to vendor.ini file on RADIUS server (keep alphabetical order with the other vendor products in this file): 
      vendor-product = Check Point Gaia
dictionary = checkpoint
ignore-ports = no
port-number-usage = per-port-type
help-id = 2000
    3. Add this line to dictiona.dcm file on RADIUS server: "@checkpoint.dct"


    FreeRADIUS server
      1. Copy /etc/radius-dictionaries/dictionary.checkpoint file from Gaia OS to /etc/freeradius/ on FreeRADIUS server.

      2. Add this line to /etc/freeradius/dictionary: 
        "$INCLUDE /etc/freeradius/dictionary.checkpoint"

      3. To add users edit the /etc/freeradius/users file.

        • Use "Tab" key and not "Space" on rows following a username.
        • Use comma "," after each command except the last command in the file.

    Syntax of this file (if syntax is wrong, service will fail to start):

    Example of syntax:

    Cleartext-Password := vpn123,
CP-Gaia-User-Role = RADIUS-P1-ADMIN,
CP-Gaia-SuperUser-Access = 1
    1. Restart the service: 
      service freeradius restart


    OpenRADIUS server
    1. Copy the /etc/radius-dictionaries/dict.checkpoint file from Gaia OS to /etc/openradius/subdicts/ on OpenRADIUS server.

    2. Add this line to /etc/openradius/dictionaries (right after dict.ascend): 
      "$include subdicts/dict.checkpoint"


    For Cisco ACS 5 RADIUS server
    As a general reference, refer to sk105542 - How to configure a RADIUS server on Cisco ACS for authentication with Gaia OS and to sk98733 - Best practices to configure Cisco ACS 5 server for TACACS+ authentication with Gaia

    For Cisco ACS 4.2 RADIUS server
    Edit the ACS 4.2 dictionary file: 
    [User Defined Vendor]
Name=CheckPoint
IETF Code=2620
VSA 229=CP-Gaia-User-Role
VSA 230=CP-Gaia-SuperUser-Access

[CP-Gaia-User-Role]
Type=STRING
Profile=IN OUT

[CP-Gaia-SuperUser-Access]
Type=INTEGER
Profile=IN OUT


    Windows RADIUS server (on Windows 2008)

    Follow these steps on Windows RADIUS server (refer to "Related resources" below):

    1. Go to 'Policies' tab.

    2. Select the 'Settings' tab.

    3. Select 'Vendor Specific'.

    4. Click 'Add' and select 'Vendor-Specific'.

    5. Click 'Add' to enter a new attribute.

    6. Click 'Enter Vendor Code' and type '2620'.

    7. Select 'Yes, it confirms'.

    8. Click 'Configure Attribute...'.

    9. Enter 'Vendor-assigned attribute number':
      For Windows RADIUS Server - '229'.
      For Windows NPS RADIUS - '230'.

    10. Enter 'Attribute format':
      For Windows RADIUS Server - 'String'.
      For Windows NPS RADIUS - 'Decimal'.

    11. Enter 'Attribute value':
      For Windows RADIUS Server - 'radius-group-RW'.
      For Windows NPS RADIUS - '1'.


    Notes:
    • Gaia Portal requires UNIX-style userid "username@domain".
      Use of Microsoft-style userid "domain\username" at login may not work.


    Related resources:


    VASCO IDENTIKEY Authentication RADIUS server
    1. Edit the IDENTIKEY Authentication Server dictionary file with a text editor.

      By default, this dictionary is stored in the file:
      C:\Program Files\VASCO\Identikey <VERSION>\bin\radius.dct

    2. Copy the contents of Check Point dictionary file into the IDENTIKEY Authentication Server dictionary file.

      Refer to C:\Program Files\VASCO\Identikey <VERSION>\bin\readme.dct file for details on the syntax to be used in the radius.dct file.

    3. Open the 'Active Directory Users and Computers' (ADUC) console.

    4. Right-click and select the option 'Digipass Extension RADIUS Settings'.

    5. Select the RADIUS dictionary file to use.

      By default, this dictionary is stored in the file: C:\Program Files\VASCO\Identikey <VERSION>\bin\radius.dct

    6. Restart the 'Active Directory Users and Computers' (ADUC) console to activate the modified dictionary file.

      Note: Beware to load the modified radius.dct file in all ADUCs if you administer the VASCO data on multiple machines.


    Related resources:


  2. Define the user roles:

    Add this Check Point Vendor-Specific Attribute to users into user configuration file on your RADIUS server:

    CP-Gaia-User-Role = "role1, role2, role3, ..."

    Example:
    CP-Gaia-User-Role = "adminrole, backuprole, securityrole"

    Note: Make sure the role names match the existing roles in the Gaia OS.

  3. Define which Check Point users must have superuser access to the Gaia shell:

    Add this Check Point Vendor-Specific Attribute to users into user configuration file on your RADIUS server:
    CP-Gaia-SuperUser-Access = <0|1>

    where

    • 0 - This user cannot receive superuser permissions
    • 1 - This user can receive superuser permissions

    To log in as a superuser:
    Note: This will work only on R75.40 Gaia+ and above
    A user with supervisor permissions can use the Gaia shell to perform system-level operations, including working with the file system.
    On the RADIUS server, define a sudo user.
    Superuser permissions are defined in the Check Point Vendor-Specific Attributes (CP-Gaia-SuperUser-Access=1).

  4. To get superuser permissions:

    1. Log into the Gaia OS on the command line (over SSH / on Console).
    2. Log in to Expert mode (to go to the Gaia shell).
    3. Run this command:
      [Expert@HostName]# sudo bash

    The user now has superuser permissions.

 

Applies To:
  • 01072207 , 01223866 , 01224700 , 01240795 , 01218048 , 01223865 , 01167822 , 01163360 , 01223867 , 01223375 , 01226048 , 01191834

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment