topic Re: gaia api access for tacacs users in API / CLI Discussion

gaia api access for tacacs users

Luis_Miguel_Mig — Thu, 28 Jul 2022 15:30:44 GMT

Hi,
is there a way to give access to the gaia api to tacacs users?

https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#api_access~v1.6%20\

Re: gaia api access for tacacs users

PhoneBoy — Thu, 28 Jul 2022 17:19:02 GMT

I assume the users are not locally defined in Gaia, correct?
That may be a requirement for this option, not entirely sure.

Re: gaia api access for tacacs users

Luis_Miguel_Mig — Fri, 29 Jul 2022 09:00:09 GMT

It was defined locally but I had to add "add rba user USER roles adminRole" and now it works.
I guess there is no equivalent api command to the cli "tacacs_enable TACP-15" command, right?

Re: gaia api access for tacacs users

Bob_Zimmerman — Fri, 29 Jul 2022 18:25:39 GMT

Yes. Define the user in clish, but don't assign a password. This allows you to add an RBA role. The role needs to include permissions for API calls, most (maybe all?) of which start with 'expert_api_'. Once the user is created and the RBA role is assigned, you need to use

gaia_api access --user <user> --enable true

as described in the link.

Linux uses a subsystem called PAM for authenticating users. With how PAM is set up on Check Point systems, local passwords are tried first, then TACACS and RADIUS. By not defining a password for the user in clish, that check fails and falls through to the central authentication options.

Re: gaia api access for tacacs users

Luis_Miguel_Mig — Fri, 29 Jul 2022 18:29:24 GMT

Yeah thanks, all works. The only think is that I would like to be able to use a non admin user for read_only type of api queries

Re: gaia api access for tacacs users

Bob_Zimmerman — Fri, 29 Jul 2022 19:07:32 GMT

add rba role ansibleRO domain-type System readonly-features expert_api_Messages,expert_api_Misc,expert_api_NTP,expert_api_aaa,expert_api_allowed-clients,expert_api_asset,expert_api_backup,expert_api_cphaprob,expert_api_cpstat,expert_api_dhcp-server,expert_api_diagnostics,expert_api_dns,expert_api_files,expert_api_ftw,expert_api_groups,expert_api_hostname,expert_api_interface,expert_api_ioc-feeder,expert_api_ipv6,expert_api_license,expert_api_lldp,expert_api_passwordcontrols,expert_api_proxy add rba role ansibleRO domain-type System readonly-features expert_api_route,expert_api_routes,expert_api_runScript,expert_api_server-status,expert_api_snapshot,expert_api_snmp,expert_api_syslog,expert_api_system,expert_api_versions ...

Re: gaia api access for tacacs users

D_W — Wed, 16 Aug 2023 14:09:55 GMT

@Bob_Zimmerman
Works like a charm!

But why is then there the option "gaia_api access -u unlocal_users -e true"?
When I try it without @Bob_Zimmerman local created user - the tacacs user logs into the API successfully with TACP-0 but cannot execute any commands. Although i added the REST API Calls to the TACP-0 Role.

The official documentation for this is not helpful 🙄 Unfortunately that's not the first time where the documentation is not answering all questions... luckily we have check mates!

Re: gaia api access for tacacs users

Hugo_vd_Kooij — Fri, 18 Aug 2023 06:40:20 GMT

Itried to see if it works for _nonlocl user .....

]# gaia_api access --user _nonlocl --enable true
Grant Access: User '_nonlocl' doesn't exist

Too bad it didn't. That would solve it all at once.