CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 11 of 11

Thread: Changing users authentication method en masse

  1. #1
    Join Date
    2005-11-18
    Posts
    64
    Rep Power
    13

    Default Changing users authentication method en masse

    We are going to be migrating from and Entrust Radius server to RSA Secureid for all users.
    We currently have over a thousand users and I'm really not liking the prospect of changing all of their auth methods using a mouse. I don't think my wrist could handle it.

    Can somebody point me in the right direction on how to do this from the command line or how I could script something like this.
    We won't be migrating all users at once but it will probably bei n chunks of 100 or so.
    A method where I could read in a file with a list of users and then ahve them changed to the new auth method is really what I'm after.

    Thanks for any help you can provide.

    We are currently running
    R77.30 on Gaia

  2. #2
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: Changing users authentication method en masse

    Quote Originally Posted by phlegm View Post
    We are going to be migrating from and Entrust Radius server to RSA Secureid for all users.
    We currently have over a thousand users and I'm really not liking the prospect of changing all of their auth methods using a mouse. I don't think my wrist could handle it.

    Can somebody point me in the right direction on how to do this from the command line or how I could script something like this.
    We won't be migrating all users at once but it will probably bei n chunks of 100 or so.
    A method where I could read in a file with a list of users and then ahve them changed to the new auth method is really what I'm after.

    Thanks for any help you can provide.

    We are currently running
    R77.30 on Gaia
    I will NOT have to do anything. like that idea right?

    RSA SecurID also have the radius module. Just enable that module and all of your RSA SecuriID users will be using RADIUS servers with either hard or soft token. On Checkpoint, you just need to point to the new RSA SecurID servers.

    That's how I remembered RSA SecurID work in version 6.1, like 4 years ago. I can't imagine it has changed much since.

  3. #3
    Join Date
    2005-11-18
    Posts
    64
    Rep Power
    13

    Default Re: Changing users authentication method en masse

    Quote Originally Posted by cciesec2006 View Post
    I will NOT have to do anything. like that idea right?

    RSA SecurID also have the radius module. Just enable that module and all of your RSA SecuriID users will be using RADIUS servers with either hard or soft token. On Checkpoint, you just need to point to the new RSA SecurID servers.

    That's how I remembered RSA SecurID work in version 6.1, like 4 years ago. I can't imagine it has changed much since.
    Apparently they don't have this enabled according to the admins. That being said even if it was I would still have to go through each user and change their auth from our current Radius to the new one. Especially since we are not migrating all users at once. I would still be stuck with the same mouse clicking overkill.

  4. #4
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: Changing users authentication method en masse

    Quote Originally Posted by phlegm View Post
    Apparently they don't have this enabled according to the admins. That being said even if it was I would still have to go through each user and change their auth from our current Radius to the new one. Especially since we are not migrating all users at once. I would still be stuck with the same mouse clicking overkill.
    Open a TAC case with Checkpoint. Look like you can do it via dbedit. Like everything else, have a good backup prior to performing dbedit.

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    103
    Rep Power
    11

    Default Re: Changing users authentication method en masse

    Quote Originally Posted by phlegm View Post
    Apparently they don't have this enabled according to the admins. That being said even if it was I would still have to go through each user and change their auth from our current Radius to the new one. Especially since we are not migrating all users at once. I would still be stuck with the same mouse clicking overkill.
    Why do you have over a thousand users defined? Why not just use the generic* user?

    You should use a RADIUS group in the user objects, not an individual server. This lets you make changes to RADIUS auth in one place to avoid exactly this issue. To the best of my knowledge, that is also the only way to have redundant servers for centralized administrative authentication (you can only specify one TACACS server).

    Can you configure the old RADIUS server to not respond for specific users? If so, I would recommend putting both in a group, and migrating users from one to the other by setting which one should respond for that user. The firewalls will query both and get one response. That would let you use SecurID's RADIUS functionality as a transitional system. Once everybody is on the SecurID server, you could just flip the users from RADIUS to SecurID.
    Zimmie

  6. #6
    Join Date
    2005-11-18
    Posts
    64
    Rep Power
    13

    Default Re: Changing users authentication method en masse

    Quote Originally Posted by Bob_Zimmerman View Post
    Why do you have over a thousand users defined? Why not just use the generic* user?

    You should use a RADIUS group in the user objects, not an individual server. This lets you make changes to RADIUS auth in one place to avoid exactly this issue. To the best of my knowledge, that is also the only way to have redundant servers for centralized administrative authentication (you can only specify one TACACS server).

    Can you configure the old RADIUS server to not respond for specific users? If so, I would recommend putting both in a group, and migrating users from one to the other by setting which one should respond for that user. The firewalls will query both and get one response. That would let you use SecurID's RADIUS functionality as a transitional system. Once everybody is on the SecurID server, you could just flip the users from RADIUS to SecurID.

    We do use a radius group for the auth with 2 servers in there for redundancy.
    I need to change the auth to secureid though so this doesn't help in any way.
    Plus as I mentioned previously they don't have the radius ability on the RSA servers.

  7. #7
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: Changing users authentication method en masse

    Quote Originally Posted by phlegm View Post
    We do use a radius group for the auth with 2 servers in there for redundancy.
    I need to change the auth to secureid though so this doesn't help in any way.
    Plus as I mentioned previously they don't have the radius ability on the RSA servers.
    What is the reason for them NOT to enable radius function on the RSA servers? You still have two factors authentication, just that you will be using UDP 1645/1812 instead of UDP/5500. If you need to have the file sdconf.rec and stop/start the management servers and gateways. With radius servers, you do NOT.

    the downside is that with radius that I can think of is that your username will be transmitted over the wire in clear text.

  8. #8
    Join Date
    2005-11-18
    Posts
    64
    Rep Power
    13

    Default Re: Changing users authentication method en masse

    Quote Originally Posted by cciesec2006 View Post
    What is the reason for them NOT to enable radius function on the RSA servers? You still have two factors authentication, just that you will be using UDP 1645/1812 instead of UDP/5500. If you need to have the file sdconf.rec and stop/start the management servers and gateways. With radius servers, you do NOT.

    the downside is that with radius that I can think of is that your username will be transmitted over the wire in clear text.
    They already have 10's of thousands of users connecting and are not going to change it just so I can get onboard with possible inmpact to other users.
    I am the one expected to conform to their standard since I'm the little guy in this scenario.
    Sucks but that's the way it is.

  9. #9
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,480
    Rep Power
    8

    Default Re: Changing users authentication method en masse

    Damn it man, save those wrists!

    Step 1 - restore backups into lab that has working radius and secureid
    Step 2 - dump user database
    #if p1 don't forget to mdsenv into said CMA.
    fwm dbexport -f users.txt
    Step 5 (3 sir, 3!) - pick a user
    Step 6 - run guidbedit - hit MGMT/CMA IP.
    check out users table - find said user.
    Step 7 look over dbedit. Seems like the field you want to change is 'auth_method'
    Step 8 find dbedit command to modify said user
    Maybe..

    modify users Dave auth_method SecurID

    Step 9 - find out step 6 is possibly wrong
    Step 10 - Find out step 7 was possibly wrong and test with RSA
    Step 11 - Use the force to generate a for loop that reads over your user output file

    Side note: not sure if you want to revert Radius Servers back to default or if that is even needed or possible.

  10. #10
    Join Date
    2005-11-18
    Posts
    64
    Rep Power
    13

    Default Re: Changing users authentication method en masse

    Quote Originally Posted by jflemingeds View Post
    Damn it man, save those wrists!

    Step 1 - restore backups into lab that has working radius and secureid
    Step 2 - dump user database
    #if p1 don't forget to mdsenv into said CMA.
    fwm dbexport -f users.txt
    Step 5 (3 sir, 3!) - pick a user
    Step 6 - run guidbedit - hit MGMT/CMA IP.
    check out users table - find said user.
    Step 7 look over dbedit. Seems like the field you want to change is 'auth_method'
    Step 8 find dbedit command to modify said user
    Maybe..

    modify users Dave auth_method SecurID

    Step 9 - find out step 6 is possibly wrong
    Step 10 - Find out step 7 was possibly wrong and test with RSA
    Step 11 - Use the force to generate a for loop that reads over your user output file

    Side note: not sure if you want to revert Radius Servers back to default or if that is even needed or possible.


    Thank thank you kind sir. This is the start I was looking for.

  11. #11
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,480
    Rep Power
    8

    Default Re: Changing users authentication method en masse

    Quote Originally Posted by phlegm View Post
    Thank thank you kind sir. This is the start I was looking for.
    be sure to report back how things go.

Similar Threads

  1. AD Query method not working for ad users
    By harmesh_88 in forum Identity Awareness Blade
    Replies: 6
    Last Post: 2016-11-05, 05:54
  2. Remote Acces VPN - Wrong value for: Authentication Method
    By mirelaqssbh in forum SecureClient/SecuRemote
    Replies: 0
    Last Post: 2011-07-27, 07:55
  3. Publickey authentication on SPLAT allows all users to ssh
    By mark.edwards in forum Check Point SecurePlatform (SPLAT)
    Replies: 2
    Last Post: 2010-01-14, 01:39
  4. good method for authentication
    By vvcat in forum Authentication
    Replies: 1
    Last Post: 2008-03-19, 12:57
  5. Secureclient authentication method
    By philuxe in forum SecureClient/SecuRemote
    Replies: 2
    Last Post: 2006-03-08, 11:43

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •