Check Point

Check Point Gaia RADIUS authentication

The Check Point Gaia Operating System supports local authentication and external authentication using RADIUS or TACACS+. Check Point uses Role Based administration (RBA), which can assign a role to a user (local or external) with set permissions, including read-only. When using external authentication, the RADIUS server can be configured to set the role depending on the user’s AD group membership.

This post covers Check Point Gaia R81.10 external authentication against a Cisco ISE RADIUS server.

Gaia Configuration

The following configuration is configured individually on a Check Point Security Gateway or Management Server running the Gaia Operating System.

Roles

By default, this is a role called adminRole that is used by the local admin account, which has full read/write admin access, a second role exists called monitorRole, which has read only access.

New custom roles can be defined, with specific permissions, however new roles will not be created as part of this guide. Roles are access in the Gaia Web Portal under User Management > Roles

RADIUS Server

At a minimum the only configuration for external authentication on Check Point Gaia is defining a RADIUS server(s).

  • Navigate to User Management > Authentication Servers
  • Under RADIUS Servers, click Add
  • At a minimum, specify the Priority, Host and Shared Secret

  • Click Ok

Note, the following message will be displayed.

  • Optional, specify the source interface for Network Access Server (NAS). This is the NAS IPv4 Address that can be used on the RADIUS server to filter connection requests.
  • Click Apply

For reference, the CLI commands to configure the settings above.

add aaa radius-servers priority 1 host 192.168.10.10 port 1812 secret ***** timeout 3
set aaa radius-servers NAS-IP 172.21.1.10
set aaa radius-servers default-shell /etc/cli.sh
set aaa radius-servers super-user-uid 96

RADIUS Server Configuration

In this example Cisco Identity Services Engine (ISE) will be used as the RADIUS server, authenticating access to the Check Point Firewalls against an Active Directory external identity source. AD group membership will determine whether the user has full admin read/write permissions or read-only permissions.

Create RADIUS Dictionary

A RADIUS dictionary are vendor-specific attributes (VSA) unique to that vendor. ISE provides standard IETF RADIUS attributes and attributes from some other vendors (including from Cisco themselves) but not the Check Point VSA.

  • Navigate to Policy > Policy Elements > Dictionaries
  • Click System > Radius > Radius Vendors

  • Click Add, to add a new RADIUS Vendor
  • Specify the Dictionary Name as CheckPoint
  • Add a relevant description.
  • Specify the Vendor ID as 2620

  • Click Dictionary Attributes
  • Click Add
  • Specify the Attribute Name as CP-Gaia-User-Role
  • Date Type as STRING
  • ID as
    229
  • Click Submit
  • Click Add to add another attribute.
  • Specify the Attribute Name as CP-SuperUser-Access
  • Date Type as STRING
  • ID as
    230
  • Click Submit

Once complete you should have 2 Check Point dictionary attributes.

Authorisation Profile

Two authorisation profiles will be created, one to set the adminRole and the second to set the monitorRole. The value specified in the authorisation profile must match the role configured in Gaia.

  • Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles
  • Click Add, to create an authorisation profile settings the adminRole permission.
  • Specify an appropriate name, i.e. CheckPoint-AdminRole
  • Under the Advanced Attributes Settings section add and attribute
    • CheckPoint:CP-Gaia-SuperUser-Access = 1
    • CheckPoint:CP-Gaia-User-Role=adminRole


  • Click Save
  • Click Add¸ to create an authorisation profile settings the monitorRole permission.
  • Specify an appropriate name, i.e. CheckPoint-MonitorRole
  • Under the Advanced Attributes Settings section add and attribute
    • CheckPoint:CP-Gaia-SuperUser-Access = 1
    • CheckPoint:CP-Gaia-User-Role-monitorRole
  • Click Save

Network Devices Group

Create a Network Device Group (NDG) for all Check Point firewalls.

  • Navigate to Administration > Network Resources > Network Device Groups
  • Click Add
  • Specify and appropriate name for the group, i.e., Firewalls
  • Specify a Parent Group, i.e., All Device Types


  • Click Save

Network Devices

Create a Network Device for each Check Point firewall being authenticated via ISE.

  • Navigate to Administration > Network Resources > Network Device
  • Click Add
  • Specify an appropriate name, i.e., FW1
  • Specify the IP address
  • From the Device Type drop-down list select the NDG previously created.
  • Select RADIUS Authentication Settings and specify the shared secret (this must match the shared secret defined in Gaia).
  • Click Save


Policy Set

Create a new Policy Set targeted specifically to Firewall Authentication

  • Navigate to Policy > Policy Sets
  • Specify and appropriate name, i.e., Check Point
  • Specify the condition as DEVICE Device Type EQUALS All Device Types#Firewall (this references the NDG previously created all devices a member of this group will match this rule).
  • Set the Allowed Protocols as Default Network Access


  • Click Save
  • Edit the Policy Set
  • Specify the conditions and authentication source in the Authentication Policy.


  • Edit the Authorization Policy
  • Create a rule for Read Only access, specify the AD group as the condition and select the CheckPoint-MonitorRole as the authorisation profile.
  • Create a second rule for Admin Access, specify the AD group as the condition and select the CheckPoint-AdminRole as the authorisation profile.

Optional (as per the figure below) you can also specify the NAS identifier as sshd for SSH connections to the Gaia Shell or httpd for Gaia Web Portal access, useful if you wish to distinguish between SSH or HTTPS connections.

  • Click Save

Testing

From a test computer open a web browser and connect to the Gaia Web Portal

  • Enter the user that is not a member of the AD group with permissions to login to the Firewall.


The ISE Live Logs confirms access is denied.


Repeat authentication with a user account that has Full Admin Access permissions, which is confirmed in the ISE Live Logs.


Repeat authentication with an account that should have read only access, which is confirmed in the ISE Live Logs.


If you attempt to make a change whilst logged in as the user with read-only access, the Gaia Web Portal will confirm a lack of permissions.


Troubleshooting

If the user is successfully authenticated to the RADIUS but receives the error “You are not configured for web access” on the Gaia Web Portal, this is because the Check Point RADIUS attributes have not been sent.


Published by integratingit

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.