CheckPoint User Management

https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/73101.htm

User Management

This chapter describes how to manage passwords, user accounts, roles, authentication servers, system groups, and Gaia WebUI clients.

Note - When a user logs in to Gaia, the WebUI navigation tree displayed and CLI commands that are available depend on the role or roles assigned to the user. If the user's roles do not provide access to a feature, the user does not see the feature in the WebUI navigation tree or in the list of commands. If the user has read-only access to a feature, they can see the WebUI page but the controls are disabled. Similarly, the user can run show commands but not set, add or delete commands.

Related Topics Change My Password Users Roles Password Policy Authentication Servers System Groups GUI Clients

Change My Password

A Gaia user can change his or her own Gaia password.

Change My Password - WebUI

To change your current user password:

1. In the tree view, click User Management > Change My Password.
2. In Old Password, enter your old password.
3. In New Password and in Confirm New Password, enter the new Password.
4. Click Apply.

Change My Password - CLI (selfpasswd)

Description	Change your own Gaia password, in an interactive dialog.
Syntax	set selfpasswd
Warning	It is not recommended to use set selfpasswd oldpass VALUE passwd VALUE because the passwords are stored as plain text in the command history. Instead, use set selfpasswd

Users

Use the WebUI and CLI to manage user accounts. You can:

• Add users to your Gaia system.
• Edit the home directory of the user.
• Edit the default shell for a user.
• Give a password to a user.
• Give privileges to users.

These users are created by default and cannot be deleted:

• admin — Has full read/write capabilities for all Gaia features, from the WebUI and the CLI. This user has a User ID of 0, and therefore has all of the privileges of a root user.
• monitor — Has read-only capabilities for all features in the WebUI and the CLI, and can change its own password. You must give a password for this user before the account can be used.

New users have read‑only privileges to the WebUI and CLI by default. You must assign one or more roles before they can log in.

	Note - You can assign permissions to all Gaia features or a subset of the features without assigning a user ID of 0. If you assign a user ID of 0 to a user account (you can do this only in the CLI), the user is equivalent to the Admin user and the roles assigned to that account cannot be modified.
	Note - Do not define a new user for external users. An external user is one that is defined on an authentication server (such as RADIUS or TACACS) and not on the local Gaia system.

When you create a user you can add pre-defined roles (privileges) to the user. For more information, see "Role-Based Administration".

Warning - A user with read and write permission to the Users feature can change the password of another user, or an admin user. Therefore, write permission to the Users feature should be assigned with caution.

Managing User Accounts - WebUI

To see a list of all users

Choose User Management > Users in the navigation tree.

You can also see your username in the toolbar of the WebUI.

To add a user

1. Open the User Management > Users page.
2. Click Add
3. In the Add User page, enter the following:
   • Login Name - (1–31 characters),
   • Home Directory - for the new user. Must be subdirectory of /home
   • Password.
   • Confirm Password
4. Click OK

To delete a user

1. Open the User Management > Users page.
2. Select the User
3. Click Delete.

User Account Fields- WebUI

Item	Description
Login Name	Name used to identify the user. The valid characters are alphanumeric characters, dash (-), and underscore (_). Range: 1-32 characters
Real Name	User's real name or other informative label.
Home directory	This is the full Linux path name of a directory where the user will log in. The home directory for all users must be in /home.
Shell	/etc/cli.sh - User is allowed to use the full Gaia CLI (clish). This is the default option. By default, some basic networking commands (such as ping) are also available. The Extended Commands mechanism makes it possible to add Linux commands that can be used. User can run shell to enter the bash shell. /bin/bash, /bin/csh, /bin/sh, /bin/tcsh - Standard Linux shells. User can run clish to enter the clish shell. /usr/bin/scponly - User is allowed to log in only using SCP, and to transfer files to and from the system. No other commands are allowed. /sbin/nologin - User is not allowed to log in.
Password	Use this field to enter a new password if you are changing it. Range: 6-128 characters. All printable characters are allowed. Note - If you use an asterisk (*) in a password, users with that password are unable to log in.
Reset Password	Change the user password. Important - After resetting the password, tell the user to immediately change their password in User Management > Change My Password.
Confirm Password	Re-enter the new password if you are changing it.
User must change password at next logon	Important - After selecting this option, tell the user to immediately change their password in User Management > Change My Password.
Access Mechanisms	Choose whether the user is able to access Gaia from the command line, from the WebUI, both, or neither.
Roles	Assign a role to the user. Define the roles in User Management > Roles.

Managing User Accounts - CLI (user)

Description	Manage user accounts. You can add users, edit the home directory of the user, edit the default shell for a user, give a password to a user, and give privileges to users.
Syntax	To add user accounts: add user <username> uid VALUE homedir To modify user accounts: set user <username> gid VALUE homedir VALUE newpass VALUE password password-hash VALUE realname VALUE shell VALUE uid VALUE To delete an existing user: delete user VALUE To view configuration and conditions: show users show user <username> gid homedir realname shell uid
Comments	You can use the add user command to add new users, but you must use the set user name passwd command to set the password and allow the user to log on to the system. For information on removing access mechanism permissions from a user, see the delete rba user command.
Parameters	Parameter Description user <username> Specifies the new user name or an existing user name. The valid characters are alphanumeric characters, dash (-), and underscore (_). Range: 1-32 characters gid VALUE Specifies the ID (0‑65535) for the primary group to which a user belongs. Use the group management commands to specify membership in other groups. homedir VALUE Specifies the user's home directory, where the user is placed on login. Enter the full Linux path name. If the directory does not already exist, it is created. The home directory for all users must be in a directory under /home/. newpass VALUE Specifies a new password for the user. If you use this keyword to change the password, you will not be asked to verify the new password and the password you enter is visible on the terminal and is stored as plain text in the command history. password Starts a password change dialog. You will be asked to enter a new password for the user and then asked to verify it by re-entering it. The password you enter will not be visible on terminal. password-hash VALUE An encrypted representation of the password. The password is not visible as text at the terminal or in the command history. Use this option if you want to change passwords using a script. You can generate the hash version of the password using standard Linux hash generating utilities. realname VALUE User's real name or other informative label. shell VALUE Specifies the shell of the user, which is invoked when the user logs in. The default shell is /bin/csh. To change the shell, enter the new shell path name. /etc/cli.sh - User is allowed to use the full Gaia CLI (clish). This is the default option. By default, some basic networking commands (such as ping) are also available. The Extended Commands mechanism makes it possible to add Linux commands that can be used. User can run shell to enter the bash shell. /bin/bash, /bin/csh, /bin/sh, /bin/tcsh - Standard Linux shells. To enter the clish shell, run the command clish. /usr/bin/scponly - User is allowed to log in only using SCP, and to transfer files to and from the system. No other commands are allowed. /sbin/nologin - User is not allowed to log in. uid VALUE Unique user ID (Integer 0‑65535). This parameter is optional. If a value is not specified, a sequential number is assigned automatically.

Roles

Role-based administration (RBA) lets you create administrative roles for users. With RBA, an administrator can allow Gaia users to access specified features by including those features in a role and assigning that role to users. Each role can include a combination of administrative (read/write) access to some features, monitoring (read‑only) access to other features, and no access to other features.

You can also specify which access mechanisms (WebUI or the CLI) are available to the user.

Note - When users log in to the WebUI, they see only those features that they have read-only or read/write access to. If they have read-only access to a feature, they can see the settings pages, but cannot change the settings.

Gaia includes these predefined roles:

• adminRole - Gives the user read/write access to all features.
• monitorRole- Gives the user read-only access to all features.

You cannot delete or change the predefined roles.

Note - Do not define a new user for external users. An external user is one that is defined on an authentication server (such as RADIUS or TACACS) and not on the local Gaia system.

Configuring Roles - WebUI

Roles are defined in the User Management > Roles page of the WebUI.

To see a list of existing roles, select User Management > Roles in the navigation tree.

To add new role or change an existing role:

1. Select User Management > Roles in the WebUI navigation tree.
2. To add a new role, click Add and enter a Role Name. The role name can be a combination of letters, numbers and the underscore (_) character, but must start with a letter.
3. To change permissions for an existing role, double-click the role.
4. In the Add or Edit Role window, click a feature (Features tab) or extended command (Extended Commands tab).
5. Select None, Read Only or Read/Write from the options menu.

Important - A user with read/write permission to the User Management feature can change a user password, including that of the admin user. Be careful when assigning roles that include this permission.

To delete a role:

1. Select User Management > Roles in the navigation tree.
2. Select a role to delete.
3. Click Delete.

Note - You cannot delete the adminRole, or monitorRole default roles.

You can assign many users to a role from the Roles window.

To assign users to a role:

1. Select User Management > Roles in the WebUI navigation tree.
2. Click Assign Members.
3. In the Assign Members to Role window:
   1. Double-click a user in the Available Users list to add that user to the role.
   2. Double-click a user in the Users with Role list to remove that user from the role.

You can assign the many roles to a user from the Users page. You must work with the Users page to define access mechanism permissions (Web and/or command line) for users. A

To assign roles and access mechanisms to a user:

1. Select User Management > Users in the WebUI navigation tree.
2. Double-click a user in the list.
3. In the Edit User window:
   • Double-click a role in the Available Roles list to assign that role to the user.
   • Double-click a role in the Assigned Roles list to remove that role from the user.
   • Select an Access Mechanisms permission (Web or Command Line) to let the user to work with it.
   • Clear an Access Mechanisms permission (Web or Command Line) to prevent the user from working with it.

Configuring Roles - CLI (rba)

Description	Add, change or delete role definitions. Add or remove users to or from existing roles. Add or remove access mechanism (WebUI or CLI) permissions for a specified user.
Syntax	add rba role <Name> domain-type System readonly-features <List> readwrite-features <List> add rba user <User name> access-mechanisms [Web-UI | CLI] add rba user <User Name> roles <List> delete rba role <Name> delete rba role <Name> readonly-features <List> readwrite-features <List> delete rba user <User Name> access-mechanisms [Web-UI | CLI] delete rba user <User Name> roles <List>
Parameters	Role <Name> Role name as a character string that contains letters, numbers or the underscore (_) character. The role name must with a letter. Domain-type System Reserved for future use. readonly-features <List> Comma separated list of Gaia features that have read only permissions in the specified role. You can add read only and read write feature lists in the same command. readwrite-features <List> Comma separated list of Gaia features that have read/write permissions in the specified role. You can add read only and read write feature lists in the same command. user <User name> User to which access mechanism permissions and roles are assigned. roles <List> Comma separated list of role names that are assigned to or removed from the specified user. access-mechanisms Defines the access mechanisms that users can work with to manage Gaia. You can only specify one access mechanism at a time with this command.
Examples	add rba role NewRole domain-type System readonly-features vpn,ospf,rba readwrite-features tag, revert,fcd add rba user Paul access-mechanisms CLI,WebUI add rba user Daly roles NewRole,adminRole delete rba role NewRole delete rba user Daly roles adminRole
Comments	There is no set operation for this command. Use the add or delete operations to add and remove features from an existing role. Use delete rba role to delete an role.

CLI Procedures

To define a new role or add features to an existing role:

Run:

add rba role <Name> domain-type System readonly-features <List>

readwrite-features <List>

• role <Name> - Role name as a character string that contains letters, numbers or the underscore (_) character. The role name must with a letter.
• readonly-features <List> - Comma separated list of Gaia features that have read only permissions in the specified role.
• readwrite-features <List> - Comma separated list of Gaia features that have read/write permissions in the specified role.

To remove features from an existing role:

Run:

delete rba role <Name> readonly-features <List> readwrite-features <List>

• role <Name> - Role name as a character string that contains letters, numbers or the underscore (_) character. The role name must with a letter.
• readonly-features <List> - Comma separated list of Gaia features that have read only permissions in the specified role.
• readwrite-features <List> - Comma separated list of Gaia features that have read/write permissions in the specified role.

To assign or remove roles to a user:

Run:

add rba user <User Name> roles <List>

delete rba user <User Name> roles <List>

• user <User name> - User to which access mechanism permissions and roles are assigned.
• roles <List> - Comma separated list of role names that are assigned to or removed from the specified user.

To Assign or remove access mechanisms (WebUI or CLI) for a user:

Run:

add rba user <User name> access-mechanisms [Web-UI | CLI]

delete rba user <User Name> access-mechanisms [Web-UI | CLI]

• user <User name> - Comma separated list of role names that are assigned to or removed from the specified user.
• Web-UI - Add or remove permissions to use the WebUI.
• CLI - Add or remove permissions to use the Gaia CLI.

Password Policy

This section explains how to configure your platform to:

• Enforce creation of strong passwords.
• Monitor and prevent use of already used passwords.
• Force users to change passwords at regular intervals.

One of the important elements of securing your Check Point network security platform is to set user passwords and create a good password policy.

Note - The password policy does not apply to nonlocal users that authentication servers such as RADIUS manage their login information and passwords. Also, it does not apply to non-password authentication, such as the public key authentication supported by SSH.

To set and change user passwords, see Users and Change My Password.

Password Strength

Strong, unique passwords that use a variety of character types and require password changes, are key factors in your overall network security.

Password History Checks

The password history feature prevents from users using a password they have used before when they change their password. The number of already used passwords that this feature checks against is defined by the history length. Password history check is enabled by default.

The password history check

• Applies to user passwords set by the administrator and to passwords set by the user.
• Does not apply to SNMPv3 USM user pass phrases.

These are some considerations when using password history:

• The password history for a user is updated only when the user successfully changes password. If you change the history length, for example: from ten to five, the stored passwords number does not change. Next time the user changes password, the new password is examined against all stored passwords, maybe more than five. After the password change succeeds, the password file is updated to keep only the five most recent passwords.
• Passwords history is only stored if the password history feature is enabled when the password is created.
• The new password is checked against the previous password, even if the previous password is not stored in the password history.

Mandatory Password Change

The mandatory password change feature requires users to use a new password at defined intervals.

Forcing users to change passwords regularly is important for a strong security policy. You can set user passwords to expire after a specified number of days. When a password expires, the user is forced to change the password the next time the user logs in. This feature works together with the password history check to get users to use new passwords at regular intervals.

The mandatory password change feature does not apply to SNMPv3 USM user pass phrases.

Deny Access to Unused Accounts

You can deny access to unused accounts. If there has been no successful login attempt in a set period of time, the user is locked out and cannot log in. You can also configure the allowed number of days of non-use before a user is locked-out.

Deny Access After Failed Login Attempts

You can deny access after too many failed login attempts. The user cannot log in for a configurable period of time. You can also allow access again after a user has been locked out. Also, you can configure the number of failed login attempts that a user is allowed before being locked out. When one login attempt succeeds, counting of failed attempts stops, and the count is reset to zero.

Configuring Password Policy- WebUI

1. In the tree view, click User Management > Password policy.
2. Configure the password policy options:
   • Password Strength
   • Password History
   • Mandatory Password change
   • Deny Access to Unused Accounts
   • Deny Access After Failed Login Attempts
3. Click Apply.

Password Strength

Parameter	Description
Minimum Password Length	The minimum number of characters of a password that is to be allowed for users or SNMP users. Does not apply to passwords that have already been set. Range: 6-128 Default: 6
Disallow Palindromes	A palindrome is a sequence of letters, numbers, or characters that can be read the same in each direction. Default: Selected
Password Complexity	The required number of character types. Character types are: Upper case alphabetic (A-Z), Lower case alphabetic (a-z), Digits (0-9), Other (everything else). A value of "1" effectively disables this check. Changes to this setting do not affect existing passwords. Range: 1-4 Default: 2

Password History

Parameter	Description
Check for Password Reuse	Check for reuse of passwords. When a user's password is changed, the new password is checked against the recent passwords for the user. An identical password is not allowed. The number of passwords kept in the record is set by History length. Does not apply to SNMP passwords. Enables or disables password history checking and password history recording, for all users. Default: Selected.
History Length	The number of former passwords to keep and check against for each user. Range: 1-1000. Default: 10.

Mandatory Password Change

Parameter	Description
Password Expiration	The number of days for which a password is valid. After that time, the password expires. The count starts when the user changes their passwords. Users are required to change an expired password the next time they log in. If set to never, passwords do not expire. Does not apply to SNMP users. Range: 1-1827 or Password never expire. Default: Password never expire.
Warn users before password expiration	The number of days before the password expires that the user starts getting warned they will have to change it. A user that does not log in will not see the warning. Range: 1-366. Default: 7.
Lockout users after password expiration	Lockout users after password expiration. After a user's password has expired, they have this number of days to log in and change it. If they do change their password within that number of days they will be unable to log in: They are locked out. A value of never allows the user to wait as long as they want to change their password. The administrator can unlock a user that is locked out from the User Management > Users page. Range: 1-1827, or Never Default: Never lockout users after password expires
Force users to change password at first login after password was changed from Users page	Force users to change password at first login after their password was changed using the command set user <username> password or from the WebUI User Management > Users page. Default: Not selected

Deny Access to Unused Accounts

Parameter	Description
Deny access to unused accounts	Deny access to unused accounts. If there has been no successful login attempt in a set period of time, the user is locked out and cannot log in. Default: Not selected
Days of non-use before lock-out	Days of non-use before lock-out. The number of days in which a user has not (successfully) logged in before that user is locked out. This only takes effect if Deny access to unused accounts is selected. Range: 30-1827 Default: 365

Deny Access After Failed Login Attempts

Parameter	Description
Deny access after failed login attempts	If the configured limit is reached, the user is locked out (unable to log in) for a configurable period of time. Warning: Enabling this leaves you open to a "denial of service" -- if an attacker issues unsuccessful login attempts often enough you will be locked out. Please consider the advantages and disadvantages of this option, in light of your security policy, before enabling it. Default: Not selected
Maximum number of failed attempts allowed	This only takes effect if Deny access after failed attempts is enabled. The number of failed login attempts that a user is allowed before being locked out. After making that many successive failed attempts, future attempts will fail. When one login attempt succeeds, counting of failed attempts stops, and the count is reset to zero, Range: 2-1000 Default: 10
Allow access again after time	Allow access again after a user has been locked out (due to failed login attempts). The user is allowed access after the configured time if there have been no login attempts during that time). This setting only takes effect if Deny access after failed login attempts is selected. Range: 60-604800 (seconds) Default: 1200 (20 minutes) Examples: 60 - 1 minute 300 - 5 minutes 3600 - 1 hour 86400 - 1 day 604800 - 1 week

Configuring Password Policy- CLI (password-controls)

Use these commands to set a policy for managing user passwords.

Password Strength

set password-controls min-password-length <6-128> palindrome-check <on |off> complexity <1-4>

Parameter	Description
min-password-length <6-128>	The minimum number of characters of a password that is to be allowed for users or SNMP users. Does not apply to passwords that have already been set. Range: 6-128 Default: 6
palindrome-check <on |off>	A palindrome is a sequence of letters, numbers, or characters that can be read the same in each direction. On prevents passwords that are palindromes. Range: On or Off. Default: On
complexity <1-4>	The required number of character types. Character types are: Upper case alphabetic (A-Z), Lower case alphabetic (a-z), Digits (0-9), Other (everything else). A value of "1" effectively disables this check. Changes to this setting do not affect existing passwords. Range: 1-4 Default: 2

Password History

set password-controls history-checking <on|off> history-length <1-1000>

Parameter	Description
history-checking <on|off>	Check for reuse of passwords. When a user's password is changed, the new password is checked against the recent passwords for the user. An identical password is not allowed. The number of passwords kept in the record is set by History length. Does not apply to SNMP passwords. Enables or disables password history checking and password history recording, for all users. Range: On or Off. Default: On
history-length <1-1000>	The number of former passwords to keep and check against for each user. Range: 1-1000. Default: 10.

Mandatory Password Change

set password-controls password-expiration <never, 1-1827> expiration-warning-days <1-366> expiration-lockout-days <never, 1-1827> force-change-when <no|password>

Parameter	Description
password-expiration <never, 1-1827>	The number of days for which a password is valid. After that time, the password expires. The count starts when the user changes their passwords. Users are required to change an expired password the next time they log in. If set to never, passwords do not expire. Does not apply to SNMP users. Range: 1-1827 or never. Default: never.
expiration-warning-days <1-366>	The number of days before the password expires that the user starts getting warned they will have to change it. A user that does not log in will not see the warning. Range: 1-366. Default: 7.
expiration-lockout-days <never, 1-1827>	Lockout users after password expiration. After a user's password has expired, they have this number of days to log in and change it. If they do change their password within that number of days they will be unable to log in: They are locked out. A value of never allows the user to wait as long as they want to change their password. The administrator can unlock a user that is locked out using the command set user <username> lock-out. Range: 1-1827, or never Default: never
force-change-when <no|password>	Force users to change password at first login after their password was changed using the command set user <username> password or from the WebUI User Management > Users page. Range: no - Disables this functionality. password - Forces users to change their password after their password was changed using the command set user <username> password or from the WebUI User Management > Users page. Default: no

Deny Access to Unused Accounts

set password-controls deny-on-nonuse enable <off|on> deny-on-nonuse allowed-days <30-1827>

Parameter	Description
deny-on-nonuse enable <off|on>	Deny access to unused accounts. If there has been no successful login attempt in a set period of time, the user is locked out and cannot log in. Range: on/off Default: off
deny-on-nonuse allowed-days <30-1827>	Days of non-use before lock-out. The number of days in which a user has not (successfully) logged in before that user is locked out. This only takes effect if set password-controls deny-on-nonuse enable is set to on. Range: 30-1827 Default: 365

Deny Access After Failed Login Attempts

set password-controls deny-on-fail allow-after <60-604800> deny-on-fail failures-allowed <2-1000> deny-on-fail enable <off|on>

Parameter	Description
deny-on-fail enable <off|on>	Deny access after too many failed login attempts. If the configured limit is reached, the user is locked out (unable to log in) for a configurable period of time. Warning: Enabling this leaves you open to a "denial of service" -- if an attacker issues unsuccessful login attempts often enough you will be locked out. Please consider the advantages and disadvantages of this option, in light of your security policy, before enabling it. Range: on/off Default: off
deny-on-fail failures-allowed <2-1000>	This only takes effect if set password-controls deny-on-fail enable is set to on. The number of failed login attempts that a user is allowed before being locked out. After making that many successive failed attempts, future attempts will fail. When one login attempt succeeds, counting of failed attempts stops, and the count is reset to zero, Range: 2-1000 Default: 10
deny-on-fail allow-after <60-604800>	Allow access again after a user has been locked out (due to failed login attempts). The user is allowed access after the configured time if there have been no login attempts during that time). This setting only takes effect if set password-controls deny-on-fail enable is set to on. Range: 60-604800 (seconds) Default: 1200 (20 minutes) Examples: 60 - 1 minute 300 - 5 minutes 3600 - 1 hour 86400 - 1 day 604800 - 1 week
deny-on-fail failures-allowed <2-1000>	This only takes effect if set password-controls deny-on-fail enable is set to on. The number of failed login attempts that a user is allowed before being locked out. After making that many successive failed attempts, future attempts will fail. When one login attempt succeeds, counting of failed attempts stops, and the count is reset to zero, Range: 2-1000 Default: 10

Monitoring Password Policy

Use these commands to view password Policy configuration

show password-controls all complexity deny-on-fail allow-after deny-on-fail enable deny-on-fail failures-allowed deny-on-nonuse allowed-days deny-on-nonuse enable expiration-lockout-days expiration-warning-days force-change-when history-checking history-length min-password-length palindrome-check password-expiration

Example

clish> show password-controls all Password Strength Minimum Password Length 6 Password Complexity 2 Password Palindrome Check on Password History Password History Checking off Password History Length 10 Mandatory Password Change Password Expiration Lifetime 5 Password Expiration Warning Days 8 Password Expiration Lockout Days never Force Password Change When no Configuration Deny Access to Unused Accounts Deny Access to Unused Accounts off Days Nonuse Before Lockout 365

Authentication Servers

You can configure Gaia to authenticate Gaia users even when they are not defined locally. This is a good way of centrally managing the credentials of multiple Security Gateways. To define non-local Gaia users, you define Gaia as a client of an authentication server.

Gaia supports these types of authentication servers:

RADIUS

RADIUS (Remote Authentication Dial-In User Service) is a client/server authentication system that supports remote-access applications. User profiles are kept in a central database on a RADIUS authentication server. Client computers or applications connect to the RADIUS server to authenticate users.

You can configure your Gaia computer to connect to more than one RADIUS server. If the first server in the list is unavailable, the next RADIUS server in the priority list connects.

TACACS

The TACACS+ (Terminal Access Controller Access Control System) authentication protocol users a remote server to authenticate users for Gaia. All information sent to the TACACS+ server is encrypted.

Gaia supports TACACS+ for authentication only. Challenge-response authentication, such as S/Key, is not supported.

You can configure TACACS+ support separately for different services. The Gaia WebUI service is one of those for which TACACS+ is supported and is configured as the http service. When TACACS+ is configured for use with a service, Gaia contacts the TACACS+ server each time it needs to examine a user password. If the server fails or is unreachable, the user is authenticated via local password mechanism. If the user fails to authenticate via the local mechanism, the user is not allowed access.

Configuring RADIUS Servers - WebUI

To configure a RADIUS server:

1. In the tree view, click User Management > Authentication Servers.
2. In the RADIUS Servers section, click Add.
3. In the Add New RADIUS Server window, enter or select a Priority value.

   The RADIUS server priority is an integer between 0 and 999 (default=0). When there two or more RADIUS servers, Gaia connects to the server with the highest priority. Low numbers have the higher priority.

4. In the Host field, enter the RADIUS server host name or IP address.

   Note - IPv6 addresses are not supported for RADIUS servers.

5. In the UDP Port field, enter the RADIUS server UDP port. The default port is 1812 as specified by the RADIUS standard. The range of valid port numbers is 1 to 65535.

   Warning - Firewall software frequently blocks traffic on port 1812. Make sure that you define a firewall rule to allow port 1812 traffic between the RADIUS server and Gaia.

6. In the Shared secret field, enter the shared secret used for authentication between the authentication server and the Gaia client. Enter the shared secret text string without a backslash. Make sure that the shared string defined on the Gaia client matches that which is defined on the authentication server.

   Some RADIUS servers have a maximum shared secret string length of 15 or 16 characters. See the documentation for your RADIUS server.

7. In Timeout in Seconds (optional), enter the timeout period in seconds. The default value is 3. If there is no response after the timeout period, Gaia tries to connect to a different server.
8. Click OK.

To edit a RADIUS server:

1. In the tree view, click User Management > Authentication Servers.
2. Select a RADIUS server.
3. Click Edit.

   The Edit RADIUS Server window opens.

4. You can edit the Host name, UDP port number, Shared secret, or the Timeout. You cannot change the Priority value.
5. Click OK.

To delete a RADIUS server:

1. In the tree view, click User Management > Authentication Servers.
2. Select a RADIUS server from the table.
3. Click Delete.

   The Remove RADIUS Server window opens.

4. Click OK to confirm.

Configuring RADIUS Servers - CLI (aaa)

Description

Use the aaa radius-servers commands to add, configure, and delete Radius authentication servers.

Syntax

To configure RADIUS for use in a single authentication profile:

add aaa radius-servers priority VALUE host VALUE [ port VALUE ] prompt-secret timeout VALUE

add aaa radius-servers priority VALUE host VALUE [ port VALUE ] secret VALUE timeout VALUE

To delete a RADIUS configuration:

delete aaa radius-servers priority VALUE

To change the configuration of a RADIUS entry:

set aaa radius-servers priority VALUE host VALUE

set aaa radius-servers priority VALUE new-priority VALUE

set aaa radius-servers priority VALUE port VALUE

set aaa radius-servers priority VALUE prompt-secret

set aaa radius-servers priority VALUE secret VALUE

set aaa radius-servers priority VALUE timeout VALUE

To view a list of all servers associated with an authentication profile:

show aaa radius-servers list

To view the RADIUS server configuration:

show aaa radius-servers priority VALUE host

show aaa radius-servers priority VALUE port

show aaa radius-servers priority VALUE timeout

Parameters

Parameter	Description
priority	The RADIUS server priority is an integer between 0 and 999 (default=0). When there two or more RADIUS servers, Gaia connects to the server with the highest priority. Low numbers have the higher priority.
new-priority	The priority of the new RADIUS server
host	RADIUS server IP address in dot‑delimited format.
port	UDP port on the RADIUS server. This value must match the port as configured on the RADIUS server. Typically this 1812 (default) or 1645 (non-standard but a commonly used alternative).
prompt secret	Shared secret (password) text string. The system prompts you to enter the value.
timeout	The number of seconds to wait for the server to respond. The default value 3 seconds.
secret	The shared secret used to authenticate the RADIUS server and the local client. You must define this value on your RADIUS server.

Example

show aaa radius-servers priority 1 host

Configuring RADIUS Servers for Non-Local Users

Non-local users can be defined on a RADIUS server and not in Gaia. When a non-local user logs in to Gaia, the RADIUS server authenticates the user and assigns the applicable permissions. You must configure the RADIUS server to correctly authenticate and authorize non-local users.

Note - If you define a RADIUS user with a null password (on the RADIUS server), Gaia cannot authenticate that user.

Configuring TACACS+ Servers - WebUI

To configure a TACACS+ server:

1. In the tree view, click User Management > Authentication Servers.
2. In the TACACS+ Server section:
   • IPv4 Address: The TACACS+ server IPv4 address.
   • Password: The shared secret used for authentication between the authentication server and the Gaia client. Enter the shared secret text string without a backslash. Make sure that the shared string defined on the Gaia client matches that which is defined on the authentication server.
3. Click Apply.

Configuring TACACS+ Servers - CLI (aaa)

Description	Use the aaa tacacs-servers commands to configure one or more TACACS authentication servers.
Syntax	To change the configuration of a TACACS+ server entry: set aaa tacacs-servers authentication server VALUE key VALUE set aaa tacacs-servers authentication state On|off To see a list of all TACACS+ servers show aaa tacacs-servers
Parameters	Parameter Description server VALUE The TACACS+ server IPv4 address. key VALUE The shared secret used for authentication between the authentication server and the Gaia client. Enter the shared secret text string without a backslash. Make sure that the shared string defined on the Gaia client matches that which is defined on the authentication server. state On|Off On - Enable TACACS+ authentication Off - Disable TACACS+ authentication
Example	set aaa tacacs-servers authentication server 10.10.10.99 key MySharedSecretKey

Configuring TACACS+ Servers for Non-Local Users

Non-local Gaia users can be defined on a TACACS server and not in Gaia. When a non-local user logs in to Gaia, the TACACS server authenticates the user and assigns the applicable permissions. You must configure the TACACS server to correctly authenticate and authorize non-local Gaia users.

Note - If you define a TACACS user with a null password (on the TACACS server), Gaia cannot authenticate that user.

System Groups

You can define and configure groups with Gaia as you can with equivalent Linux‑based systems. This function is retained in Gaia for advanced applications and for retaining compatibility with Linux.

Use groups for these purposes:

• Specify Linux file permissions.
• Control who can log in through SSH.

For other functions that are related to groups, use the role‑based administration feature, described in "Role-Based Administration".

All users are assigned by default to the users group. You can edit a user’s primary group ID (using clish) to be something other than the default. However, you can still add the user to the users group. The list of members of the users group includes only users who are explicitly added to the group. The list of does not include users added by default.

Configuring System Groups - WebUI

To see a list of all groups:

Choose User Management > System Groups in the navigation tree.

To add a group:

1. In the User Management > System Groups page, click Add.
2. Enter the Group Name. 1-8 alphanumeric characters.
3. Enter a Group ID number.

   Group ID ranges 0-99 and 65531-65535 are reserved for system use. (GID 0 is reserved for users with root permissions and GID 10 is reserved for the predefined Users groups). If you specify a value in the reserved ranges, an error message is displayed.

4. Click OK.

To add a member to a group:

1. In the User Management > System Groups page, select a group.
2. Click Edit.
3. Click Add New Member.
4. Select a user.
5. Click OK.

To delete a member from a group:

1. In the User Management > System Groups page, select the group.
2. Click Edit.
3. Select the member
4. Click Remove Member
5. Click OK

To delete a group:

1. In the User Management > System Groups page, select the group.
2. Click Delete.
3. Click OK.

Configuring System Groups - CLI (group)

Description	The commands in this section allow you to manage groups.
Syntax	To view existing group members: show group VALUE To see existing groups: show groups To set the Group ID: set group VALUE gid VALUE To add a group or a group member: add group VALUE gid VALUE add group VALUE member VALUE To delete a group or a group member delete group VALUE member VALUE
Parameters	Parameter Description group VALUE Name of group. 1-8 alphanumeric characters, Must be unique on your system. gid VALUE Numeric Group ID. Must be unique on your system. Note - Group ID ranges 0-99 and 65531-65535 are reserved for system use. (GID 0 is reserved for users with root permissions and GID 10 is reserved for the predefined Users groups). If you specify a value in the reserved ranges, an error message is displayed. member VALUE Name of an existing user. For example, admin or monitor.

GUI Clients

GUI Clients are trusted hosts from which Administrators are allowed to log in to the Security Management server.

Security Management GUI Clients - WebUI

Define which GUI clients (SmartConsoles) can connect to the Security Management server.

To configure the GUI clients:

1. In the tree view, click User Management > Gui Clients.
2. Click Add.

   The Add GUI Client window opens.

3. Define the GUI clients (trusted hosts). These are the values:
   • Any.

     All clients are allowed to log in, regardless of their IP address. This option only shows if ANY was not defined during the initial configuration.

   • An IP address
   • A network
   • A range of addresses

     Note - GUI clients can be deleted on the User Management > GUI Clients page.

GUI Clients - CLI (cpconfig)

1. Run: cpconfig.

   A list of configuration options shows. For example:

Configuration Options: ---------------------- (1) Licenses and contracts (2) Administrator (3) GUI Clients (4) SNMP Extension (5) PKCS#11 Token (6) Random Pool (7) Certificate Authority (8) Certificate's Fingerprint (9) Disable Check Point SecureXL (10) Configure Check Point CoreXL (11) Automatic start of Check Point Products

1. Enter 3.
2. A list of hosts selected to be GUI clients shows.

   You can add or delete hosts, or create a new list.

   New GUI clients can be added using these formats:

   • IP address.
   • Machine name.
   • "Any" - Any IP without restriction.
   • IP/Netmask - A range of addresses, for example 192.0.2.0/255.255.255.0
   • A range of addresses - for example 192.0.2.10-192.0.2.16
   • Wild cards (IP only) - for example 192.0.2.*