topic Re: mgmt_cli Only "admin" user works for authentication in API / CLI Discussion

mgmt_cli Only "admin" user works for authentication

cem82 — Tue, 15 Nov 2022 23:42:01 GMT

We're wanting to use mgmt_cli but have logs for the particular user that is making the changes for auditing. Initially tried a user that is defined in Smartconsole that has super domain admin privileges (remote auth) but get auth failed, have also tried creating a local user with the "Gaia API" ticked in Gaia Portal with adminRole selected but same thing. Only the "admin" username works - what am I missing here? Running MDM R81.10 JHF 66

Re: mgmt_cli Only "admin" user works for authentication

PhoneBoy — Wed, 16 Nov 2022 00:35:25 GMT

Try updating the Gaia API itself from here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk143612
If you're still having issues, I recommend engaging with the TAC.

Re: mgmt_cli Only "admin" user works for authentication

Bob_Zimmerman — Wed, 16 Nov 2022 15:09:47 GMT

Are you talking about the Gaia API (for managing OS-level things like routes and SNMP traps), or the management API (for managing application-level things like objects and rules)? mgmt_cli is used for the latter, but the "Gaia API" checkbox is only for the OS-level API.

If you're trying to use the management API with an MDS, you have to specify which management domain you want to login to.

Re: mgmt_cli Only "admin" user works for authentication

cem82 — Wed, 16 Nov 2022 20:55:49 GMT

This is for the mgmt API for object and rules management etc and am specifying the --domain option as we are running MDM.

I've done some further testing now, works for a test user created in Smartconsole using "Check Point password" works. For all other users we have TACACS auth and that isn't working for mgmt_cli but does for smartconsole/ssh/etc

Didn't realise the "Gaia API" was for OS level so thanks for pointing that out

Re: mgmt_cli Only "admin" user works for authentication

Bob_Zimmerman — Wed, 16 Nov 2022 22:05:01 GMT

That's odd. I use central authentication for my account, and I'm definitely able to get into my MDS via the API:

[Expert@MyMDS]# mgmt_cli -d "Global" login Username: zimmie Password: uid: "8fb1319e-b00b-4062-84b9-ee705cf053fa" sid: "8XNsNFG78VUvub477DRkzOiBY7_dB5J9fVCxmBQwetg" url: "https://127.0.0.1:443/web_api" session-timeout: 600 api-server-version: "1.8" user-name: "zimmie" user-uid: "407b754f-40c6-41c6-bee6-2a113e8c9b94" [Expert@MyMDS]# vi session.txt # Just to paste the information from above. [Expert@MyMDS]# mgmt_cli -f json -s session.txt logout { "message" : "OK" }

I'm using RADIUS rather than TACACS (because you can have admins authenticate against a RADIUS group instead of just one TACACS server), but neither RADIUS nor TACACS has any control over permissions.

Does the TACACS server show the user successfully authenticating?