Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luis_Miguel_Mig
Advisor
Jump to solution

gaia api access for tacacs users

Hi,
is there a way to give access to the gaia api to tacacs users?

 https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#api_access~v1.6%20\

 

 

0 Kudos
2 Solutions

Accepted Solutions
Bob_Zimmerman
Authority
Authority

Yes. Define the user in clish, but don't assign a password. This allows you to add an RBA role. The role needs to include permissions for API calls, most (maybe all?) of which start with 'expert_api_'. Once the user is created and the RBA role is assigned, you need to use 

gaia_api access --user <user> --enable true

as described in the link.

Linux uses a subsystem called PAM for authenticating users. With how PAM is set up on Check Point systems, local passwords are tried first, then TACACS and RADIUS. By not defining a password for the user in clish, that check fails and falls through to the central authentication options.

View solution in original post

(1)
Bob_Zimmerman
Authority
Authority
add rba role ansibleRO domain-type System readonly-features expert_api_Messages,expert_api_Misc,expert_api_NTP,expert_api_aaa,expert_api_allowed-clients,expert_api_asset,expert_api_backup,expert_api_cphaprob,expert_api_cpstat,expert_api_dhcp-server,expert_api_diagnostics,expert_api_dns,expert_api_files,expert_api_ftw,expert_api_groups,expert_api_hostname,expert_api_interface,expert_api_ioc-feeder,expert_api_ipv6,expert_api_license,expert_api_lldp,expert_api_passwordcontrols,expert_api_proxy
add rba role ansibleRO domain-type System readonly-features expert_api_route,expert_api_routes,expert_api_runScript,expert_api_server-status,expert_api_snapshot,expert_api_snmp,expert_api_syslog,expert_api_system,expert_api_versions
...

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

I assume the users are not locally defined in Gaia, correct?
That may be a requirement for this option, not entirely sure.

0 Kudos
Luis_Miguel_Mig
Advisor

It was defined locally but I had to  add "add rba user USER roles adminRole" and now it works.
I guess there is no equivalent  api command to  the cli "tacacs_enable TACP-15"  command, right?

0 Kudos
Bob_Zimmerman
Authority
Authority

Yes. Define the user in clish, but don't assign a password. This allows you to add an RBA role. The role needs to include permissions for API calls, most (maybe all?) of which start with 'expert_api_'. Once the user is created and the RBA role is assigned, you need to use 

gaia_api access --user <user> --enable true

as described in the link.

Linux uses a subsystem called PAM for authenticating users. With how PAM is set up on Check Point systems, local passwords are tried first, then TACACS and RADIUS. By not defining a password for the user in clish, that check fails and falls through to the central authentication options.

(1)
Luis_Miguel_Mig
Advisor

Yeah thanks, all works. The only think is that I would like to be able to use a non admin user for read_only type of api queries

0 Kudos
Bob_Zimmerman
Authority
Authority
add rba role ansibleRO domain-type System readonly-features expert_api_Messages,expert_api_Misc,expert_api_NTP,expert_api_aaa,expert_api_allowed-clients,expert_api_asset,expert_api_backup,expert_api_cphaprob,expert_api_cpstat,expert_api_dhcp-server,expert_api_diagnostics,expert_api_dns,expert_api_files,expert_api_ftw,expert_api_groups,expert_api_hostname,expert_api_interface,expert_api_ioc-feeder,expert_api_ipv6,expert_api_license,expert_api_lldp,expert_api_passwordcontrols,expert_api_proxy
add rba role ansibleRO domain-type System readonly-features expert_api_route,expert_api_routes,expert_api_runScript,expert_api_server-status,expert_api_snapshot,expert_api_snmp,expert_api_syslog,expert_api_system,expert_api_versions
...
0 Kudos
D_W
Advisor

@Bob_Zimmerman 
Works like a charm!

But why is then there the option "gaia_api access -u unlocal_users -e true"?
When I try it without @Bob_Zimmerman local created user - the tacacs user logs into the API successfully with TACP-0 but cannot execute any commands. Although i added the REST API Calls to the TACP-0 Role.

The official documentation for this is not helpful 🙄 Unfortunately that's not the first time where the documentation is not answering all questions... luckily we have check mates!

0 Kudos
Hugo_vd_Kooij
Advisor

Itried to see if it works for _nonlocl user  .....

]# gaia_api access --user _nonlocl --enable true
Grant Access: User '_nonlocl' doesn't exist

Too bad it didn't. That would solve it all at once.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events