LINKS
ABOUT

contact@spikefishsolutions.com

Tel: 1-786-774-1411

2001 Meridian Avenue

Miami Beach, FL, 33139

SOCIAL
  • Black LinkedIn Icon
  • Black Twitter Icon

© Spikefish Solutions Inc. All Rights Reserved

  • John Ejaife

Disabling Local Authentication on Check Point Firewall while RADIUS is Operational

Updated: Mar 25

In this blog we will explain how to restrict logons to just RADIUS accounts, while the RADIUS server is operational, and fallback to local authentication when the RADIUS server is not reachable. Its is assumed that RADIUS using Cisco ISE has been configured per our previous blog.


1. Connect to the firewall via SSH (in our lab topology, it is 10.1.18.102)


2. Enter Expert mode.


3. 1. Edit the file /etc/pam.d/system-auth :

[Expert@hostname:0]#vi /etc/pam.d/system-auth


4. replace the following line:

auth [success=done new_authtok_reqd=done auth_err=ignore perm_denied=ignore conv_err=die default=ignore] pam_radius_auth.so

with:

auth [success=done new_authtok_reqd=done auth_err=die perm_denied=die conv_err=die default=ignore] pam_radius_auth.so

Note that 'auth_err' and 'perm_denied' are both changed to 'die'.


5. Save the file and exit.

16 views